Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    189s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 16:34

General

  • Target

    e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe

  • Size

    248KB

  • MD5

    57f0412f08760330c2a2ac2a341b90e0

  • SHA1

    d6aca870cc491c1284c0ac566512d6719fd86b8b

  • SHA256

    e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38

  • SHA512

    bd6b5b1fc475d8c91daa3c7aae86e7a3a4d025f6e14afc8a212cb13a0cd71c39f5f3ca0142cee1852842f6ad0a3aed7e1b80e9ddffb4c4eef33eca35862667c6

  • SSDEEP

    3072:+R4XzdJvRlFD1yPBYEmaHtGG2gqZ+/9A+JRjKY5Md41gfLX:P/h1yPptGG2gqZ+FfKqDs

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe
    "C:\Users\Admin\AppData\Local\Temp\e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\zuixauz.exe
      "C:\Users\Admin\zuixauz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zuixauz.exe

    Filesize

    248KB

    MD5

    2ea1b838d581fd3df0ad88521b6bc4f5

    SHA1

    99cd9b30de13d4cdaf34804a1ffa883bc0b48318

    SHA256

    62948b775afdf917484f4412c580855a685f0ef6706866575ac3571805d8a3b5

    SHA512

    42cfb717a94d0d6695b101b9252ccd737f527acb2427e05cd4bc2ac6e3c928e50235978a211c6d0441088a3d2925fb60cd18f0d81a926b7bf63f4b124be2dfad

  • C:\Users\Admin\zuixauz.exe

    Filesize

    248KB

    MD5

    2ea1b838d581fd3df0ad88521b6bc4f5

    SHA1

    99cd9b30de13d4cdaf34804a1ffa883bc0b48318

    SHA256

    62948b775afdf917484f4412c580855a685f0ef6706866575ac3571805d8a3b5

    SHA512

    42cfb717a94d0d6695b101b9252ccd737f527acb2427e05cd4bc2ac6e3c928e50235978a211c6d0441088a3d2925fb60cd18f0d81a926b7bf63f4b124be2dfad

  • \Users\Admin\zuixauz.exe

    Filesize

    248KB

    MD5

    2ea1b838d581fd3df0ad88521b6bc4f5

    SHA1

    99cd9b30de13d4cdaf34804a1ffa883bc0b48318

    SHA256

    62948b775afdf917484f4412c580855a685f0ef6706866575ac3571805d8a3b5

    SHA512

    42cfb717a94d0d6695b101b9252ccd737f527acb2427e05cd4bc2ac6e3c928e50235978a211c6d0441088a3d2925fb60cd18f0d81a926b7bf63f4b124be2dfad

  • \Users\Admin\zuixauz.exe

    Filesize

    248KB

    MD5

    2ea1b838d581fd3df0ad88521b6bc4f5

    SHA1

    99cd9b30de13d4cdaf34804a1ffa883bc0b48318

    SHA256

    62948b775afdf917484f4412c580855a685f0ef6706866575ac3571805d8a3b5

    SHA512

    42cfb717a94d0d6695b101b9252ccd737f527acb2427e05cd4bc2ac6e3c928e50235978a211c6d0441088a3d2925fb60cd18f0d81a926b7bf63f4b124be2dfad

  • memory/1716-56-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB