Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe
Resource
win10v2004-20220812-en
General
-
Target
c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe
-
Size
236KB
-
MD5
5924f559c1eeae3d51db9defc440132b
-
SHA1
73dd288f62b098ab4b11e3bd678115d96c44b65a
-
SHA256
c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67
-
SHA512
28beb3fad7842c32eee168345b015b3574ec73012ca23bc936e3b5c990358b4bb636e2511c887bd8b8968efb093baa53d12eb8dd00a9f7339122b13efd04f05c
-
SSDEEP
6144:ImaKCiUNxlBDe2WmHioZW+ZigxpEJAYyXSWIc9sKB+:PkLlBDeLmHioZWEigxpYAYlbc9TB
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ninex.exe -
Executes dropped EXE 1 IoCs
pid Process 2040 ninex.exe -
Loads dropped DLL 2 IoCs
pid Process 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /e" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /R" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /u" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /g" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /v" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /q" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /G" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /Z" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /Y" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /k" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /X" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /H" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /V" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /c" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /o" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /t" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /z" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /y" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /N" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /Q" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /x" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /h" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /O" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /M" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /D" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /n" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /b" c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /C" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /w" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /p" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /T" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /B" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /i" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /m" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /f" ninex.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /E" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /J" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /W" ninex.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /a" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /L" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /K" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /I" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /s" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /P" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /j" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /b" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /F" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /S" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /d" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /l" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /r" ninex.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ninex = "C:\\Users\\Admin\\ninex.exe /A" ninex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe 2040 ninex.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 2040 ninex.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2040 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 27 PID 2012 wrote to memory of 2040 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 27 PID 2012 wrote to memory of 2040 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 27 PID 2012 wrote to memory of 2040 2012 c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe"C:\Users\Admin\AppData\Local\Temp\c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\ninex.exe"C:\Users\Admin\ninex.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2040
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5a7835d0380d188b2d7cd92ee56668646
SHA1cec3b69643aa6b668f516f5068e7f667f380b4b7
SHA256a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e
SHA5122e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637
-
Filesize
236KB
MD5a7835d0380d188b2d7cd92ee56668646
SHA1cec3b69643aa6b668f516f5068e7f667f380b4b7
SHA256a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e
SHA5122e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637
-
Filesize
236KB
MD5a7835d0380d188b2d7cd92ee56668646
SHA1cec3b69643aa6b668f516f5068e7f667f380b4b7
SHA256a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e
SHA5122e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637
-
Filesize
236KB
MD5a7835d0380d188b2d7cd92ee56668646
SHA1cec3b69643aa6b668f516f5068e7f667f380b4b7
SHA256a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e
SHA5122e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637