Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d064228c41...db.exe

windows7-x64

10

d064228c41...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    52s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 23:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe

  • Size

    316KB

  • MD5

    8aa3ee839270cb28d05534f3fd5721d2

  • SHA1

    be496410a16b7bd22d04c5234cfb10c0f00c3514

  • SHA256

    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db

  • SHA512

    52ef0db49cdf4a3e2f43d910e170afdb12568a8d31f6c6a7987b7d99730983e99e744f2d3c80e8efed20ed57986d0eb57a2836a6a270cd4f5aebae0178ba82b0

  • SSDEEP

    3072:VZJwhpF3SpWufu/muESamFi5eLb532qRgzqRe/aT4E1KZnBmaNtDvJRZ8Ng0ykdi:VZ43jb532qRmqRe/aT4EYDmaNtNRKNi

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    "C:\Users\Admin\AppData\Local\Temp\d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Users\Admin\koeafi.exe
      "C:\Users\Admin\koeafi.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1868

Network

  • flag-unknown
    DNS
    ns1.helpupdates.biz
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.biz
    IN A
    Response
  • flag-unknown
    DNS
    ns1.helpupdates.biz
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.biz
    IN A
    Response
  • flag-unknown
    DNS
    ns1.helpupdates.net
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.net
    IN A
    Response
  • flag-unknown
    DNS
    ns1.helpupdates.com
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.com
    IN A
    Response
  • flag-unknown
    DNS
    ns1.helpupdates.org
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.org
    IN A
    Response
  • flag-unknown
    DNS
    ns1.helpupdates.info
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.helpupdates.info
    IN A
    Response
No results found
  • 8.8.8.8:53
    ns1.helpupdates.biz
    dns
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    130 B
     254 B
     2
    2

    DNS Request

    ns1.helpupdates.biz

    DNS Request

    ns1.helpupdates.biz

  • 8.8.8.8:53
    ns1.helpupdates.net
    dns
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    65 B
     138 B
     1
    1

    DNS Request

    ns1.helpupdates.net

  • 8.8.8.8:53
    ns1.helpupdates.com
    dns
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    65 B
     133 B
     1
    1

    DNS Request

    ns1.helpupdates.com

  • 8.8.8.8:53
    ns1.helpupdates.org
    dns
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    65 B
     147 B
     1
    1

    DNS Request

    ns1.helpupdates.org

  • 8.8.8.8:53
    ns1.helpupdates.info
    dns
    d064228c4138fbebb897dd0d74a69450ae58f1240ac9a33be7bb8e211f87a7db.exe
    66 B
     145 B
     1
    1

    DNS Request

    ns1.helpupdates.info

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\koeafi.exe
    Filesize

    316KB

    MD5

    709c8dff4f21aa188fb7ef4eaf00ce63

    SHA1

    4d094a1851cae643638b280b4a094874959e8754

    SHA256

    968dfe6e4cde87200a59efe818ee54290f0d45969bbb6eb853b3453b99d3248f

    SHA512

    eb0e69bbb59bb5073f5b60a56ce1ba72d74046912787b63dcc7ab9433b7fe60ae2d7e103dea3e87f36e3b04d7ff7f2a0109f797723a75e61e7d47ea0de8d3e48

    Download Submit

  • C:\Users\Admin\koeafi.exe
    Filesize

    316KB

    MD5

    709c8dff4f21aa188fb7ef4eaf00ce63

    SHA1

    4d094a1851cae643638b280b4a094874959e8754

    SHA256

    968dfe6e4cde87200a59efe818ee54290f0d45969bbb6eb853b3453b99d3248f

    SHA512

    eb0e69bbb59bb5073f5b60a56ce1ba72d74046912787b63dcc7ab9433b7fe60ae2d7e103dea3e87f36e3b04d7ff7f2a0109f797723a75e61e7d47ea0de8d3e48

    Download Submit

  • \Users\Admin\koeafi.exe
    Filesize

    316KB

    MD5

    709c8dff4f21aa188fb7ef4eaf00ce63

    SHA1

    4d094a1851cae643638b280b4a094874959e8754

    SHA256

    968dfe6e4cde87200a59efe818ee54290f0d45969bbb6eb853b3453b99d3248f

    SHA512

    eb0e69bbb59bb5073f5b60a56ce1ba72d74046912787b63dcc7ab9433b7fe60ae2d7e103dea3e87f36e3b04d7ff7f2a0109f797723a75e61e7d47ea0de8d3e48

    Download Submit

  • \Users\Admin\koeafi.exe
    Filesize

    316KB

    MD5

    709c8dff4f21aa188fb7ef4eaf00ce63

    SHA1

    4d094a1851cae643638b280b4a094874959e8754

    SHA256

    968dfe6e4cde87200a59efe818ee54290f0d45969bbb6eb853b3453b99d3248f

    SHA512

    eb0e69bbb59bb5073f5b60a56ce1ba72d74046912787b63dcc7ab9433b7fe60ae2d7e103dea3e87f36e3b04d7ff7f2a0109f797723a75e61e7d47ea0de8d3e48

    Download Submit

  • memory/364-56-0x0000000076681000-0x0000000076683000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.