Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe
Resource
win10v2004-20221111-en
General
-
Target
9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe
-
Size
200KB
-
MD5
df80a50dd5348230451d512f1c43c21d
-
SHA1
c52c7ad5ad61733af6df571bae0297b11836099d
-
SHA256
9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3
-
SHA512
5fe96cecba3702d8322b79e11c8901e8c0f1712980183f1490426bc17964284310262e1df62e3d3a05b96230e874afc7b4c5662e366a85ce3b7da8a875e9ec7d
-
SSDEEP
1536:MWKgsj6RfSJ1tx1xCzxNy3tQ9CW5EZWHakMwP9W6uXN993ZNxtFnqlGcNskVatM7:Fy6RfSJG0tQ9nLHbB9WF478dDVBm4bgP
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tiuhen.exe -
Executes dropped EXE 1 IoCs
pid Process 1736 tiuhen.exe -
Loads dropped DLL 2 IoCs
pid Process 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /x" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /h" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /r" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /e" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /y" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /j" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /a" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /i" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /f" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /l" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /t" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /k" 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /d" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /p" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /z" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /n" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /c" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /m" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /w" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /b" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /s" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /u" tiuhen.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /v" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /k" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /g" tiuhen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /o" tiuhen.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiuhen = "C:\\Users\\Admin\\tiuhen.exe /q" tiuhen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe 1736 tiuhen.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 1736 tiuhen.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1736 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 28 PID 1760 wrote to memory of 1736 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 28 PID 1760 wrote to memory of 1736 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 28 PID 1760 wrote to memory of 1736 1760 9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe"C:\Users\Admin\AppData\Local\Temp\9e8bbec2a2950b0c1659f86a1c2ac6b5f877dd0da5d23bd37557fdd2f73eb4a3.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\tiuhen.exe"C:\Users\Admin\tiuhen.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1736
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD575aa4716188ab4ed3db72fd32da4061b
SHA15fd002b6b646980bfbc78f2067891e1987edf84c
SHA256d5ac1e74d396a4c7c44a1098de2d176651e500c3137345ad48a72d6361a096d5
SHA512ff4f2f7d9f7286ec21ab257e166e6c0b56f03c23137b34e1292188cff3763699ffa939ac654264913f5e5c672b2c1b428ca650735a93e10af06cf360c7ef9075
-
Filesize
200KB
MD575aa4716188ab4ed3db72fd32da4061b
SHA15fd002b6b646980bfbc78f2067891e1987edf84c
SHA256d5ac1e74d396a4c7c44a1098de2d176651e500c3137345ad48a72d6361a096d5
SHA512ff4f2f7d9f7286ec21ab257e166e6c0b56f03c23137b34e1292188cff3763699ffa939ac654264913f5e5c672b2c1b428ca650735a93e10af06cf360c7ef9075
-
Filesize
200KB
MD575aa4716188ab4ed3db72fd32da4061b
SHA15fd002b6b646980bfbc78f2067891e1987edf84c
SHA256d5ac1e74d396a4c7c44a1098de2d176651e500c3137345ad48a72d6361a096d5
SHA512ff4f2f7d9f7286ec21ab257e166e6c0b56f03c23137b34e1292188cff3763699ffa939ac654264913f5e5c672b2c1b428ca650735a93e10af06cf360c7ef9075
-
Filesize
200KB
MD575aa4716188ab4ed3db72fd32da4061b
SHA15fd002b6b646980bfbc78f2067891e1987edf84c
SHA256d5ac1e74d396a4c7c44a1098de2d176651e500c3137345ad48a72d6361a096d5
SHA512ff4f2f7d9f7286ec21ab257e166e6c0b56f03c23137b34e1292188cff3763699ffa939ac654264913f5e5c672b2c1b428ca650735a93e10af06cf360c7ef9075