Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
196s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe
-
Size
124KB
-
MD5
f9cf85c1a37d6e24ab38e63c0c398272
-
SHA1
4ccbffeca674ab347780daa81924071d13683f9d
-
SHA256
61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0
-
SHA512
75a07021444247d2a794fe75eb82e320fa348d56992489eb223a4b4fce603812f7715327b2bc361d9f4ecb5f3456ff50d0f2e8bda7f31248f3c2e49c13401ffa
-
SSDEEP
1536:6TEShwR+uBxeDtMYHa27J14ltxporZ45iMNeG0h/y:kEShwR+keV6gJ1uCt45eq
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" toovoug.exe -
Executes dropped EXE 1 IoCs
pid Process 1420 toovoug.exe -
Loads dropped DLL 2 IoCs
pid Process 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /H" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /i" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /X" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /e" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /B" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /o" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /U" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /v" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /n" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /b" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /C" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /I" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /t" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /q" toovoug.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /l" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /h" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /O" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /c" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /d" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /k" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /a" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /f" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /Z" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /r" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /j" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /G" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /N" toovoug.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /J" 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /M" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /m" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /u" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /D" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /x" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /W" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /w" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /g" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /J" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /E" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /A" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /R" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /s" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /P" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /Y" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /K" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /y" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /L" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /T" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /S" toovoug.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\toovoug = "C:\\Users\\Admin\\toovoug.exe /V" toovoug.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe 1420 toovoug.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 1420 toovoug.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1360 wrote to memory of 1420 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 28 PID 1360 wrote to memory of 1420 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 28 PID 1360 wrote to memory of 1420 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 28 PID 1360 wrote to memory of 1420 1360 61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe"C:\Users\Admin\AppData\Local\Temp\61c2d956abd3ae0e7da01f83c91b64db39ab1de3b92dcf10b3a22305591f61f0.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\toovoug.exe"C:\Users\Admin\toovoug.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1420
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD50f9ec2d56411a3ca69470576ef4c12d2
SHA13ef297b2972a7005b1052d4c2d434bd227d64eef
SHA256e336de3c5d5c971fb83106f9e275cd30b21d42f0ffc3755883ba4b9c7f0735ce
SHA5120218f22baa08331520678452c53f6f9f33192268a81a524c1125f6b26a6faad1ce14d5716b96c4b06b9b601f83c130b24dd2b7c15a1ea2eef5574b3db61c9186
-
Filesize
124KB
MD50f9ec2d56411a3ca69470576ef4c12d2
SHA13ef297b2972a7005b1052d4c2d434bd227d64eef
SHA256e336de3c5d5c971fb83106f9e275cd30b21d42f0ffc3755883ba4b9c7f0735ce
SHA5120218f22baa08331520678452c53f6f9f33192268a81a524c1125f6b26a6faad1ce14d5716b96c4b06b9b601f83c130b24dd2b7c15a1ea2eef5574b3db61c9186
-
Filesize
124KB
MD50f9ec2d56411a3ca69470576ef4c12d2
SHA13ef297b2972a7005b1052d4c2d434bd227d64eef
SHA256e336de3c5d5c971fb83106f9e275cd30b21d42f0ffc3755883ba4b9c7f0735ce
SHA5120218f22baa08331520678452c53f6f9f33192268a81a524c1125f6b26a6faad1ce14d5716b96c4b06b9b601f83c130b24dd2b7c15a1ea2eef5574b3db61c9186
-
Filesize
124KB
MD50f9ec2d56411a3ca69470576ef4c12d2
SHA13ef297b2972a7005b1052d4c2d434bd227d64eef
SHA256e336de3c5d5c971fb83106f9e275cd30b21d42f0ffc3755883ba4b9c7f0735ce
SHA5120218f22baa08331520678452c53f6f9f33192268a81a524c1125f6b26a6faad1ce14d5716b96c4b06b9b601f83c130b24dd2b7c15a1ea2eef5574b3db61c9186