Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

9eed1ea810...5a.exe

windows7-x64

10

9eed1ea810...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    243s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe

  • Size

    189KB

  • MD5

    fa1708db7d7d13c8a84c6fe88b9f75b5

  • SHA1

    cccaab060b85af3f0e51c06e342d64e4e2bc5c67

  • SHA256

    9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a

  • SHA512

    1533d7e13c24a669c7920097d38b53d325a6f0785741c6ad559ca807669bfb6675cfcf75d6782df59d3d475f42058a2537a8d468a6da55290531e8d02a2bcf12

  • SSDEEP

    3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJM:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWq

Score
10/10
aspackv2persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
    "C:\Users\Admin\AppData\Local\Temp\9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini.exe
    Filesize

    190KB

    MD5

    7ae4a6dc3b9c107e8c20c5827cff0f9d

    SHA1

    3cb10c9c540e926f000fe32cd8c871e4beba652d

    SHA256

    428336320f2a71b5c921d17fa6b3ea9df6be3d9ab3592a96a13c6d19305d104b

    SHA512

    73a67fe68769176af3468bc5f1ff0d89e4db5e3b109ddd6d8be14052d741dee4331cb2be98486000d610e903edcdf0deb6c41d972a8f079ece9342b20c40b550

    Download Submit

  • C:\AutoRun.exe
    Filesize

    189KB

    MD5

    fa1708db7d7d13c8a84c6fe88b9f75b5

    SHA1

    cccaab060b85af3f0e51c06e342d64e4e2bc5c67

    SHA256

    9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a

    SHA512

    1533d7e13c24a669c7920097d38b53d325a6f0785741c6ad559ca807669bfb6675cfcf75d6782df59d3d475f42058a2537a8d468a6da55290531e8d02a2bcf12

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    96f6c874673a958ffbaf2fc79c83f70b

    SHA1

    b42a9a1e8d13a279a7c55a5c1f02439a03293dc1

    SHA256

    8f990cab763f4686eb17fb1d03e8574de3a9b6d5fb8e5db8b8955d0b60f10fa5

    SHA512

    76a48dd7fb357c4051befa65a9f747414e43d1fca4f398de5ed9de1665064e4d3dc89e226b971e9a75bda38fa8e678e61ddbd3c7690a7508e40c36a20c70bd84

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    57f260903a34bf33a2c503df61f9403a

    SHA1

    1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

    SHA256

    49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

    SHA512

    d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    57f260903a34bf33a2c503df61f9403a

    SHA1

    1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

    SHA256

    49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

    SHA512

    d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    57f260903a34bf33a2c503df61f9403a

    SHA1

    1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

    SHA256

    49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

    SHA512

    d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    57f260903a34bf33a2c503df61f9403a

    SHA1

    1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

    SHA256

    49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

    SHA512

    d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    57f260903a34bf33a2c503df61f9403a

    SHA1

    1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

    SHA256

    49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

    SHA512

    d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

    Download Submit

  • memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

    Filesize

    8KB

    Download