Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/02/2025, 18:31
250225-w51ava1jt9 811/03/2024, 23:35
240311-3leclahf51 805/09/2023, 14:57
230905-sbr6lagd82 812/04/2023, 00:00
230412-aaqx2ahh3w 8Analysis
-
max time kernel
140s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
05/09/2023, 14:57
General
-
Target
Elo.exe
-
Size
96KB
-
MD5
26b12d61e9e62412748069275521be1a
-
SHA1
6206f2f1256774a058998da3517cbffc5e70270e
-
SHA256
a6f48afd03aaa15824a2182e20088a4595f795766f78d679416d123ec17e1de5
-
SHA512
0e28b335d373c7d1d92f15bd412886472db66ad9b1ab9a4fcae6f1338df07785a62b03ff069aea9543a850c95e9990e3107e0114d63f207721e897b859956491
-
SSDEEP
1536:f7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfswociK1CFOU:T7DhdC6kzWypvaQ0FxyNTBfspwYp
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Elo.exe"C:\Users\Admin\AppData\Local\Temp\Elo.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4BC0.tmp\4BC1.tmp\4BC2.bat C:\Users\Admin\AppData\Local\Temp\Elo.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵
-
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\Elo.exe3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s 17530.vbs3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s 9727.vbs3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s 12662.vbs3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s Automate.bat3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s Test.vbs3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s Test.bat3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s Detect.vbs3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s Detect.bat3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s bsod.bat3⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17530.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process Detect.bat -Verb RunAs -windowstyle hidden4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Detect.bat"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Detect.vbs"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process Test.bat -Verb RunAs -windowstyle hidden -wait7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Test.bat"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test.vbs"6⤵
-
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MEMZ.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\attrib.exeattrib +h +s MEMZ.txt3⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type NirCmd.ps1 "3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell gci -Recurse -Filter *.zip |ForEach-Object {Expand-Archive -Path $_.Fullname -DestinationPath $_.BaseName -Force}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 15 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\attrib.exeattrib +h +s NirCmd.txt3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s NirCmd.bat3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s NirCmd2.txt3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s NirCmd.zip3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s NirCmd.ps13⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s NirCmd.exe3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 20 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 10 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sethc.exesethc 2503⤵
-
-
-
C:\Windows\system32\sethc.exesethc.exe 1011⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b65aeb1b3da0b96313cc6e10dde4afe0
SHA134039989280d6d5a45793deaab79665c79b74b8d
SHA2560254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c
SHA512be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea
-
Filesize
1KB
MD505471356f0ea1c0f5f5b8deb29c3ebd1
SHA112b14b737d1e0f76ca2494fb7a6841e5792a0504
SHA256cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7
SHA512942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b
-
Filesize
218B
MD5a5ffacb76079366b573d25fec3dccf7f
SHA15039dc66332fdade2b16d3b9065fb5fc9061f6ba
SHA25624ab295f3ea0d46fc827398c8b1d3b23752de36c8100bcfc4b5f011915b4f4f8
SHA51285b40e401e88dd13f84ec781956980c59ccb338f3953240da0be5bf17ce7d42d1654cada7e8fc70a52a2a1befb697f7ad63622c2f97f7659d481e315fb4f1046
-
Filesize
128B
MD5de77acb4970462a84d1418426ef768c0
SHA19f9420eecfda1a228b31ba6a7a7cac2a2885d59e
SHA256533d3759b2dc9f801b1440002bbe45a19099d87378faa7cd1ca38b6ed15c91cf
SHA512c9bd51a8f42d51e4ecf3b699aaf5c907fb85d4c727f376677604f7bac369740a13953631c4164c988707e64494c8ecb7164074b782ce2a544220b1abd0aef0dc
-
Filesize
7KB
MD5481a357d27e7c1a2cfbe617f14600b8b
SHA15c29901995a3d345eaa0d3cc9ee763ec21638b89
SHA256970b56f67e1996e434fc45c12b5157fb96ae4886b3ea4e77fad2e86fc78321aa
SHA5123504010edfa0f8a17b888fdaa1631c5a2efc20a5689bb8cc06fe1a6a95067cc1ebd6ef52d2ea8c52867b7e16280292972025358beccf0937313822c6199b2bfd
-
Filesize
147B
MD59e058306bf7f9c484a7553dcd1a080ad
SHA198670b4b9c36eea14078343272418104aee382c0
SHA256245c3a8cf02aa38b997b3a4eea47b1872c68d882a2e63c19e142b5f3e72a9d0c
SHA512bd4455afc947671eae07099d026124aeeda1c2f0ecac05f1fdf48bbe7ad2213d42dc797282cf1e7a206232d2463d8765944e6e9db8ce5c404f64b6d0c6f16fa0
-
Filesize
249B
MD5e8deb513d9050736b3f4a8ec8c9645a4
SHA1dd47fba6ee3b5ea80176af7ea302f9aae22f226a
SHA25687a0817da57464dee6c6ed36311ba76ae523884e2a6b4be77592c2c285924cc6
SHA5125d256b53c62654529601d0c210060655ad708d2ac5c6c57fd4d8d5ee6d872e9b6c746ae94a637a01e37554835d2f2029c1c37f8195956f5db41667852a739dce
-
Filesize
111B
MD53cb76846869bcbb44cebf7c7e4c6218c
SHA16d05544d37255fff5b838d3f3b7e0113fbb67c03
SHA256a6c5a78cb4cb2427005933c394abc76ed075e3c7fb996e14802b306a7838bcf2
SHA512a6017cccc5692992bcd9069f4593d3d56af9146628d9716daa0a663941a22522d2fe265dc1bc727b9eaeef1b06027c6d2b077db9ee2ea73802621ff89c980e58
-
Filesize
220B
MD50ba0411f0d555bebb7752316e799f779
SHA14bdc902ee5300a65a4bad277f2a8b0175da7674d
SHA256d7c456e54e9a5621b7df7cce19994ac3dd348ee98b086ae43112348c7935da06
SHA5126738b93630327a2c2ef326abc4b896533523c602d57cd8a2305b151efd1e727938f6afce4e090e92d74964a01d748666a24847d537caf46e1a562c98927f9275
-
Filesize
202B
MD5c6e2a6fe68bdcf28fd4632bcdea5a8ee
SHA14b8239cdafbba61992260695dc0e5249e37cb18c
SHA2561a790c636b4b92759ff47ea50792fec9d7da67d2764b49d64644fc562c35a908
SHA5120115a40e16647873223d6450b00b2168a00282b6decebbd92722a64c9625bdfa79bc65645e8fe021f76201f72a78c46676037953ea2918114e26b1076a912067
-
Filesize
202B
MD5c6e2a6fe68bdcf28fd4632bcdea5a8ee
SHA14b8239cdafbba61992260695dc0e5249e37cb18c
SHA2561a790c636b4b92759ff47ea50792fec9d7da67d2764b49d64644fc562c35a908
SHA5120115a40e16647873223d6450b00b2168a00282b6decebbd92722a64c9625bdfa79bc65645e8fe021f76201f72a78c46676037953ea2918114e26b1076a912067
-
Filesize
104B
MD566f27c86f734b28d170f3c4e1db8958e
SHA125557a67a5dc675e518e1bd83b32d346cc95025c
SHA2561e9a3e5b03f1f763274fd17b8f5c64e2629923dd0c9cfc94865eadef9c69e90b
SHA512f793c9742586e3150974e490c849dd0ed7a6a57e31d7affcc02406662e81378218991e6dbe63105db01cf7c352f1e76b4e71249fe8781a880258f9e9cab7fd7d
-
Filesize
18B
MD5e57a11eb25dd25ed755c1839d0e4a9b7
SHA1e26d908081f93f2f28cef5091fd43a3ca1920dcf
SHA256c196c15d05b0197ea127877380a5001d6b294083c4fd92e62be55438e6a7bdff
SHA5121e2b50c39b67f0f1ac0cec2126817b033355147923ae8303b82ea9e19194820e9796c5cbff4af4f89683b471f4b7262dbd3953bdd7d87bfcd2cdaaf0991ad607
-
Filesize
10B
MD57aba77b3cbdf0b7c78cee71d55dd6f50
SHA1e1c06f4fc0029aa239aa2a8d5d6a0ec6bbd89516
SHA2569b972e91c3c303336561ca43420e9a808c34812246b9fe6d85c22bf005254e3a
SHA512d6e8770db9f96c32dc76fa2d8a78f50a24938be6e2aabd3214080a4db0ec497ec5ce6ae1b481d8b0bb442779812e7222e435d8f5e6b5dd763c46a959a4c14f34
-
Filesize
40B
MD5e9ca92728d880c80a242d55390769d37
SHA1c82e73e41912b3543150d2f8e520b77e66c64876
SHA256a67f7e91a028d2695cdacf984b5fd2f33ee90e95d84467df1e33a94e3573e19e
SHA51270fc9d051486e2ec964baefedf4fb8959baa3dee74887028dd4ff4337ecf0f70012c9eec855f1a65e9f141d3b76d9c616039a292e779ce690f1e191397eb088c
-
Filesize
7KB
MD53812ad0f97e49c3b17159b77fbac1b14
SHA1d20e98479941c68ac8b128a61c68f7200f0b5562
SHA256f43ad74273df8a99d90709993f5db44b38e1ff943db77c9986a2c091055b0e3e
SHA512003340fdfd0b7fe6a5fafe19ed09bd5b428461f36e2411915091dd95ee893991b792b7caa8019deeca651ec2da12f5c79b77f3f4278cf9194b04408e14c175b9
-
Filesize
7KB
MD53812ad0f97e49c3b17159b77fbac1b14
SHA1d20e98479941c68ac8b128a61c68f7200f0b5562
SHA256f43ad74273df8a99d90709993f5db44b38e1ff943db77c9986a2c091055b0e3e
SHA512003340fdfd0b7fe6a5fafe19ed09bd5b428461f36e2411915091dd95ee893991b792b7caa8019deeca651ec2da12f5c79b77f3f4278cf9194b04408e14c175b9
-
Filesize
7KB
MD53812ad0f97e49c3b17159b77fbac1b14
SHA1d20e98479941c68ac8b128a61c68f7200f0b5562
SHA256f43ad74273df8a99d90709993f5db44b38e1ff943db77c9986a2c091055b0e3e
SHA512003340fdfd0b7fe6a5fafe19ed09bd5b428461f36e2411915091dd95ee893991b792b7caa8019deeca651ec2da12f5c79b77f3f4278cf9194b04408e14c175b9
-
Filesize
7KB
MD53812ad0f97e49c3b17159b77fbac1b14
SHA1d20e98479941c68ac8b128a61c68f7200f0b5562
SHA256f43ad74273df8a99d90709993f5db44b38e1ff943db77c9986a2c091055b0e3e
SHA512003340fdfd0b7fe6a5fafe19ed09bd5b428461f36e2411915091dd95ee893991b792b7caa8019deeca651ec2da12f5c79b77f3f4278cf9194b04408e14c175b9
-
Filesize
12KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
12KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB