Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/03/2023, 01:44

230303-b6arcsfc9s 10

03/03/2023, 01:42

230303-b4nv7sfc7z 7

03/03/2023, 01:39

230303-b2ymmafg72 8

Analysis

  • max time kernel
    8s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2023, 01:44

Errors

Reason
Machine shutdown

General

  • Target

    regdelete-readme-edits/hell9o.exe

  • Size

    172KB

  • MD5

    2e933118fecbaf64bbd76514c47a2164

  • SHA1

    a70a1673c4c7d0c0c12bc42bc676a1e9a09edc21

  • SHA256

    5268359ebc3f9e709c8eee1fa9d3e7c579b3e4563fabb9c394abe0fe2e39137f

  • SHA512

    c34672e55625462d16051cd725c96d634e459d61a9552f858f0b234d5eedf67594ca336f4fd695e3046c4e0485d4fa4497b6c604ee4144c49a6c1c0838628bdb

  • SSDEEP

    3072:xBtaM5EWCrATe105GWp1icKAArDZz4N9GhbkrNEk1lM:ZaM5zbp0yN90QEp

Score
7/10

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 33 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\regdelete-readme-edits\hell9o.exe
    "C:\Users\Admin\AppData\Local\Temp\regdelete-readme-edits\hell9o.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\reg.exe
        reg DELETE HKEY_CLASSES_ROOT /f
        3⤵
        • Modifies system executable filetype association
        • Registers COM server for autorun
        • Modifies registry class
        PID:272
      • C:\Windows\system32\reg.exe
        reg DELETE HKEY_CURRENT_USER /f
        3⤵
          PID:1092
        • C:\Windows\system32\reg.exe
          reg DELETE HKEY_LOCAL_MACHINE /f
          3⤵
            PID:1580
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        1⤵
          PID:564
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:1372
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:2016
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
                PID:1912
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x1
                1⤵
                  PID:824
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x1
                  1⤵
                    PID:1380

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD

                    Filesize

                    159B

                    MD5

                    e26bcceba32f987399a0decf331f0697

                    SHA1

                    64540b56c5ff6dbb963faa50a85159c62edf7365

                    SHA256

                    0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

                    SHA512

                    d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD

                    Filesize

                    159B

                    MD5

                    e26bcceba32f987399a0decf331f0697

                    SHA1

                    64540b56c5ff6dbb963faa50a85159c62edf7365

                    SHA256

                    0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

                    SHA512

                    d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508