Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 23:02

General

  • Target

    8c9066731dc635a9700bc2816377abfdcd409b7228f3b469eafa4fc575d567fc.exe

  • Size

    248KB

  • MD5

    3bfee2bd737f01f99c20dfbea28104b0

  • SHA1

    1fbb34899cfa374617b958b52ccfdadbf03b34c8

  • SHA256

    8c9066731dc635a9700bc2816377abfdcd409b7228f3b469eafa4fc575d567fc

  • SHA512

    ab19fe946d1b158b737912d48f30026c771059d7beaffe5231017f3d480c62c2dce58d05fd2e7a3671149f9e8a1d132b5d7a712912b3350b06eeac294d05a051

  • SSDEEP

    3072:dJw15W42t0z43JOFQfOTbjaoL7mZW0h/tlVu/T8cLBH:dJWW42t0z43JOFQfOO

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c9066731dc635a9700bc2816377abfdcd409b7228f3b469eafa4fc575d567fc.exe
    "C:\Users\Admin\AppData\Local\Temp\8c9066731dc635a9700bc2816377abfdcd409b7228f3b469eafa4fc575d567fc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\haixem.exe
      "C:\Users\Admin\haixem.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\haixem.exe

    Filesize

    248KB

    MD5

    b6cb942de368733ec72da6f3d9953576

    SHA1

    c3a455564792a2935281883f1b00b4f3248386de

    SHA256

    bee3dcf90d114c9b48bf56ebf43d3f85ece10d85663c990a134c89ebde4c70e6

    SHA512

    91e50ad46622e5e84a76285d9a8997f1393633bf001a41b00e0e610a86e0c8a4715c90333da748759122e48ace67154d7ab6d22e90daeba8aa6a05dd044d3c46

  • C:\Users\Admin\haixem.exe

    Filesize

    248KB

    MD5

    b6cb942de368733ec72da6f3d9953576

    SHA1

    c3a455564792a2935281883f1b00b4f3248386de

    SHA256

    bee3dcf90d114c9b48bf56ebf43d3f85ece10d85663c990a134c89ebde4c70e6

    SHA512

    91e50ad46622e5e84a76285d9a8997f1393633bf001a41b00e0e610a86e0c8a4715c90333da748759122e48ace67154d7ab6d22e90daeba8aa6a05dd044d3c46

  • \Users\Admin\haixem.exe

    Filesize

    248KB

    MD5

    b6cb942de368733ec72da6f3d9953576

    SHA1

    c3a455564792a2935281883f1b00b4f3248386de

    SHA256

    bee3dcf90d114c9b48bf56ebf43d3f85ece10d85663c990a134c89ebde4c70e6

    SHA512

    91e50ad46622e5e84a76285d9a8997f1393633bf001a41b00e0e610a86e0c8a4715c90333da748759122e48ace67154d7ab6d22e90daeba8aa6a05dd044d3c46

  • \Users\Admin\haixem.exe

    Filesize

    248KB

    MD5

    b6cb942de368733ec72da6f3d9953576

    SHA1

    c3a455564792a2935281883f1b00b4f3248386de

    SHA256

    bee3dcf90d114c9b48bf56ebf43d3f85ece10d85663c990a134c89ebde4c70e6

    SHA512

    91e50ad46622e5e84a76285d9a8997f1393633bf001a41b00e0e610a86e0c8a4715c90333da748759122e48ace67154d7ab6d22e90daeba8aa6a05dd044d3c46

  • memory/1280-56-0x0000000075811000-0x0000000075813000-memory.dmp

    Filesize

    8KB