Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe
Resource
win10v2004-20220812-en
General
-
Target
e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe
-
Size
260KB
-
MD5
80b8c001f89953e9046cff0ce8ffe5c4
-
SHA1
85830290c6ad2fbdecaa6dbc755f2bbfd4132157
-
SHA256
e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde
-
SHA512
ab062b146003659ce118a37efabeb3e0ef65f61c8103160d1ccbbaab40d06ed5ac4da821c43f85b7c010ebdea52f594c29da7395a464df9a798fb022145ca0ee
-
SSDEEP
3072:qw9eizdJiE64j9a45Kf/4xLMfKdRR7RH3TFavCPQjIYQHCd8boxQVV/V3xion:vf/6qKWlH3TFCCoNLx+VH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" coalo.exe -
Executes dropped EXE 1 IoCs
pid Process 1136 coalo.exe -
Loads dropped DLL 2 IoCs
pid Process 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /i" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /s" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /n" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /N" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /V" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /C" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /k" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /t" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /P" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /L" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /x" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /X" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /O" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /Q" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /w" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /A" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /Y" e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /T" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /h" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /b" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /G" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /j" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /c" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /g" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /u" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /B" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /Z" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /R" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /U" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /d" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /v" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /a" coalo.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /q" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /E" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /Y" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /K" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /S" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /F" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /e" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /r" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /J" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /M" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /o" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /y" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /l" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /W" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /m" coalo.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /H" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /f" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /z" coalo.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\coalo = "C:\\Users\\Admin\\coalo.exe /I" coalo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe 1136 coalo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 1136 coalo.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1248 wrote to memory of 1136 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 26 PID 1248 wrote to memory of 1136 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 26 PID 1248 wrote to memory of 1136 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 26 PID 1248 wrote to memory of 1136 1248 e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe"C:\Users\Admin\AppData\Local\Temp\e46c7fe979bca18879b709b2baf1bc2653ef94d2ae667e107623eefd70a97fde.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\coalo.exe"C:\Users\Admin\coalo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD571fbc6efee79c13959220933ec86b305
SHA1d0074c790fbaed33db3c5a189d11338f4cd637f4
SHA25653303a77e1092687cc12a6841b6a33bf10dfeff11df97813267541b43ed634d2
SHA512bf7ca275210b3e3f7f507f7f882cff30dd2962f011edbb9b95c28989cfa5c2e5906af236460203cc90e786c442f89600e219ee1af28b907f5b34d78f27b5a75a
-
Filesize
260KB
MD571fbc6efee79c13959220933ec86b305
SHA1d0074c790fbaed33db3c5a189d11338f4cd637f4
SHA25653303a77e1092687cc12a6841b6a33bf10dfeff11df97813267541b43ed634d2
SHA512bf7ca275210b3e3f7f507f7f882cff30dd2962f011edbb9b95c28989cfa5c2e5906af236460203cc90e786c442f89600e219ee1af28b907f5b34d78f27b5a75a
-
Filesize
260KB
MD571fbc6efee79c13959220933ec86b305
SHA1d0074c790fbaed33db3c5a189d11338f4cd637f4
SHA25653303a77e1092687cc12a6841b6a33bf10dfeff11df97813267541b43ed634d2
SHA512bf7ca275210b3e3f7f507f7f882cff30dd2962f011edbb9b95c28989cfa5c2e5906af236460203cc90e786c442f89600e219ee1af28b907f5b34d78f27b5a75a
-
Filesize
260KB
MD571fbc6efee79c13959220933ec86b305
SHA1d0074c790fbaed33db3c5a189d11338f4cd637f4
SHA25653303a77e1092687cc12a6841b6a33bf10dfeff11df97813267541b43ed634d2
SHA512bf7ca275210b3e3f7f507f7f882cff30dd2962f011edbb9b95c28989cfa5c2e5906af236460203cc90e786c442f89600e219ee1af28b907f5b34d78f27b5a75a