Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2022, 02:43

General

  • Target

    64891be44ea4a4499265f6cc659b5d112eb6ba83e61f24dfeb405a6e05c61766.exe

  • Size

    232KB

  • MD5

    5574f7c11369e28e9fce030385b00ccc

  • SHA1

    279bbae4c93247c8c959cd5776a78735df60902c

  • SHA256

    64891be44ea4a4499265f6cc659b5d112eb6ba83e61f24dfeb405a6e05c61766

  • SHA512

    30097d0711f3708b9d797aa2f4713b0293322e903e780ebaf1a43b800386da1319ee5ee05a8626dd959edf4ecf3ad0a7688d32f25cb91bf39d387b0ec2381191

  • SSDEEP

    3072:jgXVlhx5v2gKvvyMZe+EVv64QWCyiHCqV/G0/J:ifKHyMwhVv6vWCyiHCqV/G0x

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64891be44ea4a4499265f6cc659b5d112eb6ba83e61f24dfeb405a6e05c61766.exe
    "C:\Users\Admin\AppData\Local\Temp\64891be44ea4a4499265f6cc659b5d112eb6ba83e61f24dfeb405a6e05c61766.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\zaeetom.exe
      "C:\Users\Admin\zaeetom.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zaeetom.exe

    Filesize

    232KB

    MD5

    226b8b5bad730fa4b90e2a37eb799b53

    SHA1

    cc1ba902155bc4319ebb154a4768125bc93a90d6

    SHA256

    cee2533306c0f0535c18420ee5494623d4e198058a1f485f2e6e9ec0a1ec62b2

    SHA512

    97fc52f8bbed79e4f94468a43a5e6f6755363d9b7e2ea097a7f80f47dabe41daa4efb058f2406da86f72507af4846f463a42b565c49f10f738b5094ec9123a25

  • C:\Users\Admin\zaeetom.exe

    Filesize

    232KB

    MD5

    226b8b5bad730fa4b90e2a37eb799b53

    SHA1

    cc1ba902155bc4319ebb154a4768125bc93a90d6

    SHA256

    cee2533306c0f0535c18420ee5494623d4e198058a1f485f2e6e9ec0a1ec62b2

    SHA512

    97fc52f8bbed79e4f94468a43a5e6f6755363d9b7e2ea097a7f80f47dabe41daa4efb058f2406da86f72507af4846f463a42b565c49f10f738b5094ec9123a25

  • \Users\Admin\zaeetom.exe

    Filesize

    232KB

    MD5

    226b8b5bad730fa4b90e2a37eb799b53

    SHA1

    cc1ba902155bc4319ebb154a4768125bc93a90d6

    SHA256

    cee2533306c0f0535c18420ee5494623d4e198058a1f485f2e6e9ec0a1ec62b2

    SHA512

    97fc52f8bbed79e4f94468a43a5e6f6755363d9b7e2ea097a7f80f47dabe41daa4efb058f2406da86f72507af4846f463a42b565c49f10f738b5094ec9123a25

  • \Users\Admin\zaeetom.exe

    Filesize

    232KB

    MD5

    226b8b5bad730fa4b90e2a37eb799b53

    SHA1

    cc1ba902155bc4319ebb154a4768125bc93a90d6

    SHA256

    cee2533306c0f0535c18420ee5494623d4e198058a1f485f2e6e9ec0a1ec62b2

    SHA512

    97fc52f8bbed79e4f94468a43a5e6f6755363d9b7e2ea097a7f80f47dabe41daa4efb058f2406da86f72507af4846f463a42b565c49f10f738b5094ec9123a25

  • memory/896-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

    Filesize

    8KB