Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

032dea2d1b...d2.exe

windows7-x64

10

032dea2d1b...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    032dea2d1b675752515ca40898f051d2.exe

  • Size

    880KB

  • MD5

    032dea2d1b675752515ca40898f051d2

  • SHA1

    9c6a22799cb1c07f28095d314b4aed0d532846f0

  • SHA256

    d7b1bfbe9ec9e5b7907d9bb193e777d180a9007ea369c9a287a18f486707fbaa

  • SHA512

    e5833389342bf4d7bf2ee7a17e14407ab9f5e796e181823dc71e54ce17819b94c8c16d5d66944a04df6291f8d3705179e40b87203ead79327185eff72e7578a9

  • SSDEEP

    12288:Cp4pNfz3ymJnJ8QCFkxCaQTOl2QU8E4vbAfxu/F0ShFgFDTf2:8Etl9mRda1hc4kfxueSG2

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\032dea2d1b675752515ca40898f051d2.exe
    "C:\Users\Admin\AppData\Local\Temp\032dea2d1b675752515ca40898f051d2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini.exe
    Filesize

    881KB

    MD5

    7d10b83296bdd4a1a9f3426b996613a9

    SHA1

    fe4a95b2674b8a080ad3433df77f22ad0ad114ea

    SHA256

    b587a8891c8203793d19aaf0f01df95a6db725c769439e16001fdfdfe588fc07

    SHA512

    5c8e8be445e48872f3041d34a2750e0c15ff9928dbb3c49dd138b5e9f7cde6cf4d7d3199de037ed94cde8ecce4974bdcddef88767ebc72c7721b8b14bf952c45

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    c40f75236d5864f28b61ba5c57984f2b

    SHA1

    ca513354cc7f8378539aa1bedc04bc9060d64bd6

    SHA256

    dc417dfac40e5f6e2153970d93b36b0f182c3374c3137a61751f5ca766ff6fe6

    SHA512

    1f2e91171a18c0e070458ae373ce2b33004851b1bdda3ee187ff56aa4957b74b7c4bb2fb1cebab380933f720858b218b2aff0b4409805c4fa90d2c0232c3a8b5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    9630a3b908e0ffc039a75362e9c993d7

    SHA1

    4289d68ac224336b8a5821aed16af13e58f6f193

    SHA256

    0f80e169abb4e59517844dbdd7d3fb2147d481ac0e1085162f40facdf26190a6

    SHA512

    c52cd03f6adab8f7ac2552d83f00a0b57a4b38c796171ed90dc50d271523df1ae1ea636145f16de977d80f92b512c659f22966ae96237435502ed6247210117b

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    19KB

    MD5

    1bc9c095bd00edb6aefe059d16304ff9

    SHA1

    4054058b62006bc7c826652b502be165dbd1b7df

    SHA256

    f62ee1f7526d8503bc36aec5d26f6595f732f30b291b0899bf9ba88d1715d558

    SHA512

    685166b9615e9c8d8c646cd4e3aa52ba3a82c895664a3e2cdbd3139c4723e38e3d2971552e985a02b04a7caebdec1f07eeb2ba667cf864849d0cf418f013dfbe

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    11KB

    MD5

    cf2b5a18be817815e0e4081b183990c4

    SHA1

    dfbd771e3c609524509ea15894027946285a7bbd

    SHA256

    0dce68e7f0e4b55ad1f182c60692049fd0ce9e6e74ed9f8fa07a5a9da1ba9349

    SHA512

    f2111e3f4416e4690899709dbc37b0ad030cd2f4b73f41226d7759040071a62ba51fb9d70f4bcb3f01e5a3a6c27178abba2ab87f9372b935dd34e31a39cb8ed4

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    412KB

    MD5

    7be81d8bcc63d5499682d65a9b65efa8

    SHA1

    97089a23ea16880081c5c5f8672254309789613f

    SHA256

    e4e1210dcfa7b87b18f612779f42125b6416b43069538ef93885201409e8cbe7

    SHA512

    05ae6bea58e66bbbba1f841a1b67a63d2dff2d83493e13f698ac988f1de5318ab9190d6db51d39726677a0c5c265a7510c7366300cb3cb5cb057cbef228c8b46

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    388KB

    MD5

    7a947bf3d74042976f4325fbd9b18aa7

    SHA1

    391740372b61d4a60cdfcdbb3505ee9db7598603

    SHA256

    71cae251c6554f30484dd633519715ea1216048d027ebfd6f00326d8af5fcbb3

    SHA512

    af2b441e2a3553b7ac1869f0e51aa98e749dd7eb0d5da006daeb1ef28d26f656b7d1cf76590649305a1167366a5be77f8083f51dacca7c981ef72de2f70fcbba

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    588KB

    MD5

    bf29be0fd82db574dc96371e3af4f55a

    SHA1

    e46a16d43a0c39f2a8c82349f31c21dff9f77b8d

    SHA256

    8a8cac11a8c330d2d31dba06d52e35f702ffc94a648dbe2f2781b69c7ec530be

    SHA512

    a390e629735121231fa97d5220bf5b95d4a0ce2bc3e1deb4e6c23e265ee1d0fce8c68f032e651d183a04050f076ba9a35bcd1b61f23fb5622012295eb032061d

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    372KB

    MD5

    0731d8a812894006d538185c51f0f3bc

    SHA1

    7604d18bb4db867c4eb46e0e65eecad9e4819a54

    SHA256

    0b39abfc005ba9769f7384cf8dc03fdd872a37946dd408a839f038111f132eb2

    SHA512

    28c4885f25578ffb96c347411d41a305746fcf24a2aab2577ea0d5194eea29f7d6e2bb0f965e5cd597640269089e65d3a716bf469111380d20044b7241ebc72c

    Download Submit

  • memory/2132-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-236-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download