Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe
-
Size
172KB
-
MD5
445772cadc7038a1fc6a6ac9a913eae8
-
SHA1
a458e77f891e31a3a72602164578cc7441f9b23c
-
SHA256
b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8
-
SHA512
d36a45ddc524f79066897de5fa6bdbd39d4db63440e024dc7a29dcbfc9e5d7388d8025ea5682cf6865df8a5678aca6849292d7beed92a25465373ddaa62d4feb
-
SSDEEP
3072:F6SFonoVD8oSx/mvXAFIFR7Nzim04f1fhLOG7GQiCLMt8Xt/Wv6mgea:F6coUD8oSx/mvXAFIFR7N7DfhhLOG7Gb
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rouze.exe -
Executes dropped EXE 1 IoCs
pid Process 1712 rouze.exe -
Loads dropped DLL 2 IoCs
pid Process 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /o" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /U" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /p" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /V" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /h" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /m" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /Z" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /A" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /j" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /W" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /d" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /E" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /H" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /e" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /Y" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /i" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /y" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /g" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /l" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /F" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /a" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /J" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /X" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /I" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /L" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /q" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /w" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /f" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /s" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /K" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /r" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /N" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /z" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /b" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /G" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /v" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /R" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /k" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /M" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /D" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /u" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /P" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /n" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /x" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /O" rouze.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /C" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /S" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /Q" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /T" rouze.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rouze = "C:\\Users\\Admin\\rouze.exe /c" rouze.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe 1712 rouze.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe 1712 rouze.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1712 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe 28 PID 1752 wrote to memory of 1712 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe 28 PID 1752 wrote to memory of 1712 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe 28 PID 1752 wrote to memory of 1712 1752 b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe 28 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27 PID 1712 wrote to memory of 1752 1712 rouze.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe"C:\Users\Admin\AppData\Local\Temp\b906a1e7633074282e957094d692e44466c81e16404f9932f0a3f78168e77ec8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\rouze.exe"C:\Users\Admin\rouze.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5575fa5f9d5e89dbd408f1450f8bbbb51
SHA183b00d41b364f165c7421c8f5665d816ea269a1c
SHA256a50c9c7ca1abfaf02da8c1823999ec0eb64a88504ad589771ff067fc6780b879
SHA512af956652a5e1bb1c99854f021e6cf3687e31e3e449f0031b6bce71a449b51f8e97411c386ae1d32101d26065acc31d08341d2dffa88d3574581d11f4122fe4b4
-
Filesize
172KB
MD5575fa5f9d5e89dbd408f1450f8bbbb51
SHA183b00d41b364f165c7421c8f5665d816ea269a1c
SHA256a50c9c7ca1abfaf02da8c1823999ec0eb64a88504ad589771ff067fc6780b879
SHA512af956652a5e1bb1c99854f021e6cf3687e31e3e449f0031b6bce71a449b51f8e97411c386ae1d32101d26065acc31d08341d2dffa88d3574581d11f4122fe4b4
-
Filesize
172KB
MD5575fa5f9d5e89dbd408f1450f8bbbb51
SHA183b00d41b364f165c7421c8f5665d816ea269a1c
SHA256a50c9c7ca1abfaf02da8c1823999ec0eb64a88504ad589771ff067fc6780b879
SHA512af956652a5e1bb1c99854f021e6cf3687e31e3e449f0031b6bce71a449b51f8e97411c386ae1d32101d26065acc31d08341d2dffa88d3574581d11f4122fe4b4
-
Filesize
172KB
MD5575fa5f9d5e89dbd408f1450f8bbbb51
SHA183b00d41b364f165c7421c8f5665d816ea269a1c
SHA256a50c9c7ca1abfaf02da8c1823999ec0eb64a88504ad589771ff067fc6780b879
SHA512af956652a5e1bb1c99854f021e6cf3687e31e3e449f0031b6bce71a449b51f8e97411c386ae1d32101d26065acc31d08341d2dffa88d3574581d11f4122fe4b4