Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 23:46

General

  • Target

    33585757bf506c4f9eba3434233bf8f336fcd2d3cef8feb1c74814cdf315c609.exe

  • Size

    136KB

  • MD5

    ad9583c06fae5b3cad9a013515aa49ee

  • SHA1

    1011b36333c7d2680dbdd6e5ee98ed41659d91bc

  • SHA256

    33585757bf506c4f9eba3434233bf8f336fcd2d3cef8feb1c74814cdf315c609

  • SHA512

    7dc95ec84415de8ede7e19c9aa10d2621bad0dfac97b4f8f069f2866010f6545485106db3721e04888149fe3f0b7ffa3c17563d5ccd35db440884bf205800fad

  • SSDEEP

    1536:RJXfqRm+BhRK1mH2GijPEUbaxnvdWkVqSP3PKh9pGw93mW9RcGwh+8hcXZDuS8Hx:70WEUbaxvN3wzUh2XZDutcHdVmn8+mo

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33585757bf506c4f9eba3434233bf8f336fcd2d3cef8feb1c74814cdf315c609.exe
    "C:\Users\Admin\AppData\Local\Temp\33585757bf506c4f9eba3434233bf8f336fcd2d3cef8feb1c74814cdf315c609.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\vaeyuf.exe
      "C:\Users\Admin\vaeyuf.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:932

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vaeyuf.exe

    Filesize

    136KB

    MD5

    a0c488cde4b3f364912fc2f7bf8a9ac7

    SHA1

    fc6f7b00071adae86f3699ce224914b99f3859fe

    SHA256

    e503b997b26a87396e54ad22a76a216eaf7f1f29f5d829ebc400e0b529775e4a

    SHA512

    19aed629010594a9acd1f6d1c55fe11c306c418705578b746c7c1e9b510f1173938e485f6c5ba4592fea935d3a68adcc4a3d92e4d5a0bc4cfd9a63abb6c1e8b1

  • C:\Users\Admin\vaeyuf.exe

    Filesize

    136KB

    MD5

    a0c488cde4b3f364912fc2f7bf8a9ac7

    SHA1

    fc6f7b00071adae86f3699ce224914b99f3859fe

    SHA256

    e503b997b26a87396e54ad22a76a216eaf7f1f29f5d829ebc400e0b529775e4a

    SHA512

    19aed629010594a9acd1f6d1c55fe11c306c418705578b746c7c1e9b510f1173938e485f6c5ba4592fea935d3a68adcc4a3d92e4d5a0bc4cfd9a63abb6c1e8b1

  • \Users\Admin\vaeyuf.exe

    Filesize

    136KB

    MD5

    a0c488cde4b3f364912fc2f7bf8a9ac7

    SHA1

    fc6f7b00071adae86f3699ce224914b99f3859fe

    SHA256

    e503b997b26a87396e54ad22a76a216eaf7f1f29f5d829ebc400e0b529775e4a

    SHA512

    19aed629010594a9acd1f6d1c55fe11c306c418705578b746c7c1e9b510f1173938e485f6c5ba4592fea935d3a68adcc4a3d92e4d5a0bc4cfd9a63abb6c1e8b1

  • \Users\Admin\vaeyuf.exe

    Filesize

    136KB

    MD5

    a0c488cde4b3f364912fc2f7bf8a9ac7

    SHA1

    fc6f7b00071adae86f3699ce224914b99f3859fe

    SHA256

    e503b997b26a87396e54ad22a76a216eaf7f1f29f5d829ebc400e0b529775e4a

    SHA512

    19aed629010594a9acd1f6d1c55fe11c306c418705578b746c7c1e9b510f1173938e485f6c5ba4592fea935d3a68adcc4a3d92e4d5a0bc4cfd9a63abb6c1e8b1

  • memory/1980-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

    Filesize

    8KB