Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
Resource
win10v2004-20221111-en
General
-
Target
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
-
Size
364KB
-
MD5
72c482ad8052388343956fe092465e7c
-
SHA1
6b301063661ce24464060938823554a4d2e411d4
-
SHA256
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321
-
SHA512
6318d94e1adff12fa42fb05d3a46bef337577ec68ba4cf993012d422c5ae09f6d928b936346538c75891085253565caee30614fa18cbb76586a96fa0324b3f3d
-
SSDEEP
6144:CbXE9OiTGfhEClq9ztilm4CNyG+4GgDNxDiRVBHePLBQsL:qU9XiuiitImy7wxQVB+TBQsL
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1924 pipipipipi.exe -
Loads dropped DLL 5 IoCs
pid Process 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 784 WerFault.exe 784 WerFault.exe 784 WerFault.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ololo\3t.jpg 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\pipipipipi.exe 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\olololo.bat 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\p.txt 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\3t.jpg DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 784 1924 WerFault.exe 30 -
Runs .reg file with regedit 1 IoCs
pid Process 320 regedit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1124 DllHost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 752 wrote to memory of 2044 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 28 PID 752 wrote to memory of 2044 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 28 PID 752 wrote to memory of 2044 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 28 PID 752 wrote to memory of 2044 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 28 PID 752 wrote to memory of 1924 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 30 PID 752 wrote to memory of 1924 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 30 PID 752 wrote to memory of 1924 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 30 PID 752 wrote to memory of 1924 752 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 30 PID 2044 wrote to memory of 320 2044 cmd.exe 32 PID 2044 wrote to memory of 320 2044 cmd.exe 32 PID 2044 wrote to memory of 320 2044 cmd.exe 32 PID 2044 wrote to memory of 320 2044 cmd.exe 32 PID 1924 wrote to memory of 784 1924 pipipipipi.exe 34 PID 1924 wrote to memory of 784 1924 pipipipipi.exe 34 PID 1924 wrote to memory of 784 1924 pipipipipi.exe 34 PID 1924 wrote to memory of 784 1924 pipipipipi.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe"C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\ololo\olololo.bat" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\regedit.exeregedit -s snapshot.reg3⤵
- Runs .reg file with regedit
PID:320
-
-
-
C:\Program Files (x86)\ololo\pipipipipi.exe"C:\Program Files (x86)\ololo\pipipipipi.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 3643⤵
- Loads dropped DLL
- Program crash
PID:784
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD520fa9a18bcc7d0ac56752235bda71ff1
SHA1bfc38d50c995dac42388c9681f31e3bffb12048c
SHA25618a663b6b5cd7298af8ebe47c29d7c4f150b2864cfd5599723b82245f6846dcc
SHA512ae0fb6491e2f0d7be6150189516afaa0225e82cb7809392667f3a3131e74270ba4e265c2878bb159ba1ff5656275eeb439fccbf5abe28ca49bee7294541778cb
-
Filesize
56KB
MD5e5af3dd46df77c166f55378507c5cbcb
SHA1c2e5ff64d3e2fe0dcd2960164219f0031619653a
SHA2563185d610a530e91e62fc95cd3c8b3df333d3254524417afc945b4c32b3e8d918
SHA5120cab1d707b450588e579e099dad31f6c300d03b461ac12cfb8eabcc3ebe1d91859d2454cd82845d6ab233086397ac760fa7ebadcb3ad8871f32a6b96fcc42bec
-
Filesize
2B
MD5ac627ab1ccbdb62ec96e702f07f6425b
SHA19a79be611e0267e1d943da0737c6c51be67865a0
SHA2568c1f1046219ddd216a023f792356ddf127fce372a72ec9b4cdac989ee5b0b455
SHA5126781a9e05f5e327a138f3d09ce0211ce4f166d940a14b46373e44402a3f3754cab4109f62c50777cbc1e3c4f1b8e6234e8d0b41281571bf0e1bd480c12149830
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5