Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

cf0f6a60ac...7a.exe

windows7-x64

8

cf0f6a60ac...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    62s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe

  • Size

    42KB

  • MD5

    c6b81c7fb7d688711923a3774432f42d

  • SHA1

    a4df01899ea43820b1661c57175019dfd6e602a3

  • SHA256

    cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

  • SHA512

    9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

  • SSDEEP

    768:uBUaZmvRRaO52tjS+YC5tZvx0HRVzJ1gFqDhgpVmcLek/c3Lqyu9usvSKvQkv:uBc6GC5bpMMuCuCek/c3LqbEWvQkv

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe
    "C:\Users\Admin\AppData\Local\Temp\cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
      2⤵
        PID:916
      • C:\windows\SysWOW64\hdnzcucu.exe
        "C:\windows\system32\hdnzcucu.exe" -kill c:\users\admin\appdata\local\temp\cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe /install
        2⤵
        • Executes dropped EXE
        • Deletes itself
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
          3⤵
            PID:1992
          • C:\windows\SysWOW64\hdnzcucu.exe
            "C:\windows\system32\hdnzcucu.exe" -kill c:\windows\syswow64\hdnzcucu.exe /install /install
            3⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1716
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
              4⤵
                PID:1212

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • C:\Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \??\c:\windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • \Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • memory/1508-54-0x0000000076871000-0x0000000076873000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1508-60-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1716-75-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1716-76-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download