Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
Resource
win10v2004-20221111-en
General
-
Target
9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe
-
Size
23KB
-
MD5
fd3763ea464b31578a91261b514b6951
-
SHA1
18b608db6051f8ef18011dbb60b9faaeadf1cdb2
-
SHA256
9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51
-
SHA512
0685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3
-
SSDEEP
384:lEg0i747wFs/7LIXujQ7RgvDXLiti2rUms+oCESvaJlMCN+cBnlrwms73AJ5ERx:loU48Fs/f61VgLbiY2dLop7xBnl5fe
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\lklosd.sys rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 472 koauolte.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe\Debugger = "svchost.exe" rundll32.exe -
Deletes itself 1 IoCs
pid Process 524 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360ary = "C:\\Windows\\system32\\koauolte.exe" 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run koauolte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360ary = "C:\\Windows\\system32\\koauolte.exe" koauolte.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\koauolte.exe 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe File opened for modification C:\Windows\SysWOW64\koauolte.exe 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\jiocs.dll 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 2012 rundll32.exe 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 472 koauolte.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 2012 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 27 PID 2044 wrote to memory of 1168 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 28 PID 2044 wrote to memory of 1168 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 28 PID 2044 wrote to memory of 1168 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 28 PID 2044 wrote to memory of 1168 2044 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 28 PID 1168 wrote to memory of 472 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 29 PID 1168 wrote to memory of 472 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 29 PID 1168 wrote to memory of 472 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 29 PID 1168 wrote to memory of 472 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 29 PID 472 wrote to memory of 1772 472 koauolte.exe 30 PID 472 wrote to memory of 1772 472 koauolte.exe 30 PID 472 wrote to memory of 1772 472 koauolte.exe 30 PID 472 wrote to memory of 1772 472 koauolte.exe 30 PID 1168 wrote to memory of 524 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 31 PID 1168 wrote to memory of 524 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 31 PID 1168 wrote to memory of 524 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 31 PID 1168 wrote to memory of 524 1168 9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe"C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\jiocs.dll MyEntryPoint2⤵
- Drops file in Drivers directory
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exeC:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\koauolte.exeC:\Windows\system32\koauolte.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\cmd.execmd /c del C:\Windows\system32\koauolte.exe4⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\Users\Admin\AppData\Local\Temp\9233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51.exe3⤵
- Deletes itself
PID:524
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5fd3763ea464b31578a91261b514b6951
SHA118b608db6051f8ef18011dbb60b9faaeadf1cdb2
SHA2569233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51
SHA5120685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3
-
Filesize
23KB
MD5fd3763ea464b31578a91261b514b6951
SHA118b608db6051f8ef18011dbb60b9faaeadf1cdb2
SHA2569233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51
SHA5120685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3
-
Filesize
44KB
MD5a06b31bd249a788da3a89e372feb6901
SHA1dc71def7a37fe1935152389f38193d3287a06859
SHA256e01deac57d68a7a76fcd4247f7d8dd063f73046b77e4deae2c58194a203b9d5b
SHA51207eaa6beedc1b170feabe8d5f277b429fe49851c98031db9d4b901a6ec3e0d44d1210ec435156371c7f1d034a5a1a5540a978dae8cf89dd060ce6aca5a41ddcc
-
Filesize
23KB
MD5fd3763ea464b31578a91261b514b6951
SHA118b608db6051f8ef18011dbb60b9faaeadf1cdb2
SHA2569233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51
SHA5120685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3
-
Filesize
23KB
MD5fd3763ea464b31578a91261b514b6951
SHA118b608db6051f8ef18011dbb60b9faaeadf1cdb2
SHA2569233e84e9c522b9a3b2a6d9ae8ed2feec24db90fb4b1ae1692e491a83979ba51
SHA5120685f7e0348f40fbea5dcac32af004d6eb170016513213ab8e1212d0e15241e66e09e97552810eadb96b6bb7d6f89e1454c7809840c25f4cf6dc76b2314a9ce3