Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 00:44

General

  • Target

    9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe

  • Size

    23KB

  • MD5

    fd3763ea464b31578a91261b514b6951

  • SHA1

    18b608db6051f8ef18011dbb60b9faaeadf1cdb2

  • SHA256

    9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51

  • SHA512

    0685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3

  • SSDEEP

    384:lEg0i747wFs/7LIXujQ7RgvDXLiti2rUms+oCESvaJlMCN+cBnlrwms73AJ5ERx:loU48Fs/f61VgLbiY2dLop7xBnl5fe

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
    "C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\jiocs.dll MyEntryPoint
      2⤵
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2012
    • C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
      C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\koauolte.exe
        C:\Windows\system32\koauolte.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:472
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del C:\Windows\system32\koauolte.exe
          4⤵
            PID:1772
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
          3⤵
          • Deletes itself
          PID:524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\koauolte.exe

      Filesize

      23KB

      MD5

      fd3763ea464b31578a91261b514b6951

      SHA1

      18b608db6051f8ef18011dbb60b9faaeadf1cdb2

      SHA256

      9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51

      SHA512

      0685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3

    • C:\Windows\SysWOW64\koauolte.exe

      Filesize

      23KB

      MD5

      fd3763ea464b31578a91261b514b6951

      SHA1

      18b608db6051f8ef18011dbb60b9faaeadf1cdb2

      SHA256

      9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51

      SHA512

      0685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3

    • C:\Windows\jiocs.dll

      Filesize

      44KB

      MD5

      a06b31bd249a788da3a89e372feb6901

      SHA1

      dc71def7a37fe1935152389f38193d3287a06859

      SHA256

      e01deac57d68a7a76fcd4247f7d8dd063f73046b77e4deae2c58194a203b9d5b

      SHA512

      07eaa6beedc1b170feabe8d5f277b429fe49851c98031db9d4b901a6ec3e0d44d1210ec435156371c7f1d034a5a1a5540a978dae8cf89dd060ce6aca5a41ddcc

    • \Windows\SysWOW64\koauolte.exe

      Filesize

      23KB

      MD5

      fd3763ea464b31578a91261b514b6951

      SHA1

      18b608db6051f8ef18011dbb60b9faaeadf1cdb2

      SHA256

      9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51

      SHA512

      0685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3

    • \Windows\SysWOW64\koauolte.exe

      Filesize

      23KB

      MD5

      fd3763ea464b31578a91261b514b6951

      SHA1

      18b608db6051f8ef18011dbb60b9faaeadf1cdb2

      SHA256

      9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51

      SHA512

      0685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3

    • memory/2044-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

      Filesize

      8KB