Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe
Resource
win10v2004-20220812-en
General
-
Target
31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe
-
Size
200KB
-
MD5
2b0a69238729fba54f3fb3d201466160
-
SHA1
a17a47aac0b0c22bcdfdf06c99161824e44bc11b
-
SHA256
31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c
-
SHA512
a6e0893ce3cb4c0d07dc172aab6c871f96f19dae2ed38f93f77b85e84eba6103f63db85830fa5ce8dcea62806723b98c8435975b10c3c79bea13651f6c824deb
-
SSDEEP
3072:nCATo/0YxZa0tQ9nLHbB9WPliBs2HWWEakGJm9uhP:nCFTa4QxL7B9WPli+yWWEazNl
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ylwam.exe -
Executes dropped EXE 1 IoCs
pid Process 1700 ylwam.exe -
Loads dropped DLL 2 IoCs
pid Process 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /j" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /z" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /a" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /p" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /l" ylwam.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /s" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /c" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /g" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /y" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /i" 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /u" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /m" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /w" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /e" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /d" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /o" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /k" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /v" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /b" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /n" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /h" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /x" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /f" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /q" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /t" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /i" ylwam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ylwam = "C:\\Users\\Admin\\ylwam.exe /r" ylwam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe 1700 ylwam.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 1700 ylwam.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 976 wrote to memory of 1700 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 28 PID 976 wrote to memory of 1700 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 28 PID 976 wrote to memory of 1700 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 28 PID 976 wrote to memory of 1700 976 31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe"C:\Users\Admin\AppData\Local\Temp\31aa22b8b18dcbb1e6ee684e766e5e24990323a1552abede768881747208473c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\ylwam.exe"C:\Users\Admin\ylwam.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1700
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD51a5d832c2ed248c20cab6c655189616b
SHA1ea66d5d39decc66a0bbf0762b22a6df836194d84
SHA25632c1f8f3f6080a058c479491b065bfa5944c37464d073c1700cd63572d38ad21
SHA512e221781b78b2229294e64865d0205063b1d9f364da39e0ad9d60d6d2821150624392c5e64c1c677eabc118a505685f2c0c2b8c56d51f52a48763017f7368543d
-
Filesize
200KB
MD51a5d832c2ed248c20cab6c655189616b
SHA1ea66d5d39decc66a0bbf0762b22a6df836194d84
SHA25632c1f8f3f6080a058c479491b065bfa5944c37464d073c1700cd63572d38ad21
SHA512e221781b78b2229294e64865d0205063b1d9f364da39e0ad9d60d6d2821150624392c5e64c1c677eabc118a505685f2c0c2b8c56d51f52a48763017f7368543d
-
Filesize
200KB
MD51a5d832c2ed248c20cab6c655189616b
SHA1ea66d5d39decc66a0bbf0762b22a6df836194d84
SHA25632c1f8f3f6080a058c479491b065bfa5944c37464d073c1700cd63572d38ad21
SHA512e221781b78b2229294e64865d0205063b1d9f364da39e0ad9d60d6d2821150624392c5e64c1c677eabc118a505685f2c0c2b8c56d51f52a48763017f7368543d
-
Filesize
200KB
MD51a5d832c2ed248c20cab6c655189616b
SHA1ea66d5d39decc66a0bbf0762b22a6df836194d84
SHA25632c1f8f3f6080a058c479491b065bfa5944c37464d073c1700cd63572d38ad21
SHA512e221781b78b2229294e64865d0205063b1d9f364da39e0ad9d60d6d2821150624392c5e64c1c677eabc118a505685f2c0c2b8c56d51f52a48763017f7368543d