Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 10:30

General

  • Target

    c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe

  • Size

    236KB

  • MD5

    5924f559c1eeae3d51db9defc440132b

  • SHA1

    73dd288f62b098ab4b11e3bd678115d96c44b65a

  • SHA256

    c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67

  • SHA512

    28beb3fad7842c32eee168345b015b3574ec73012ca23bc936e3b5c990358b4bb636e2511c887bd8b8968efb093baa53d12eb8dd00a9f7339122b13efd04f05c

  • SSDEEP

    6144:ImaKCiUNxlBDe2WmHioZW+ZigxpEJAYyXSWIc9sKB+:PkLlBDeLmHioZWEigxpYAYlbc9TB

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe
    "C:\Users\Admin\AppData\Local\Temp\c46a82dde1c74f6050d3a1e5010d91c2635365ceed0562d3b55fca3126efaa67.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\ninex.exe
      "C:\Users\Admin\ninex.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ninex.exe

    Filesize

    236KB

    MD5

    a7835d0380d188b2d7cd92ee56668646

    SHA1

    cec3b69643aa6b668f516f5068e7f667f380b4b7

    SHA256

    a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e

    SHA512

    2e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637

  • C:\Users\Admin\ninex.exe

    Filesize

    236KB

    MD5

    a7835d0380d188b2d7cd92ee56668646

    SHA1

    cec3b69643aa6b668f516f5068e7f667f380b4b7

    SHA256

    a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e

    SHA512

    2e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637

  • \Users\Admin\ninex.exe

    Filesize

    236KB

    MD5

    a7835d0380d188b2d7cd92ee56668646

    SHA1

    cec3b69643aa6b668f516f5068e7f667f380b4b7

    SHA256

    a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e

    SHA512

    2e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637

  • \Users\Admin\ninex.exe

    Filesize

    236KB

    MD5

    a7835d0380d188b2d7cd92ee56668646

    SHA1

    cec3b69643aa6b668f516f5068e7f667f380b4b7

    SHA256

    a51dce9d894f888785728b1b05129fc75cff7ee91bc6535ac2bf9183673e446e

    SHA512

    2e6977b59c4ed6a3eb7a134c8ccc79784135307ea3beae3a35ae972472fce4e821897ec49eaddc37c9008570d2e1656703f34e00fb6eca46867d04e632aa8637

  • memory/2012-56-0x0000000074B51000-0x0000000074B53000-memory.dmp

    Filesize

    8KB