Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0b21e11490...7e.exe

windows7-x64

10

0b21e11490...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 02:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b21e1149051218c49d7cf1f850cd37e.exe

  • Size

    629KB

  • MD5

    0b21e1149051218c49d7cf1f850cd37e

  • SHA1

    8f2a8a734c91ebf60abc6b65bf6dd21e93c4bd1b

  • SHA256

    aab24fcb8d398b1a8b1af7b2fbb4dcb1708857dbe96b661fbc8a8c82daaa5d83

  • SHA512

    8a0fdc4fd8133e60ca110f2839ed25520f410767f9d1582beac0d64d3ab4f4f1d71be9a184e8dd308d682e6c186fbf276e0b55e010ae3abf612af64d2c9e6db7

  • SSDEEP

    12288:pp4pNfz3ymJnJ8QCFkxCaQTOlxSU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFR:DEtl9mRda10SGB2uJ2s4otqFCJrW9FqT

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\HelpMe.exe
    C:\Windows\system32\HelpMe.exe
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    PID:2196
  • C:\Users\Admin\AppData\Local\Temp\0b21e1149051218c49d7cf1f850cd37e.exe
    "C:\Users\Admin\AppData\Local\Temp\0b21e1149051218c49d7cf1f850cd37e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    6a0d427faf811c1eed245deb0daa789a

    SHA1

    03dc8c79ad0fb53131950b8693838b4db05346be

    SHA256

    b98089d3a4923f4ed0d136d52f331aa229abc65263623c739af2918835ad89b7

    SHA512

    cf34f19a9137d1bc0b5581810c9d58a36a7f1d67f90a5160a3100648485561b017c9d6095c1162aefc1fc4e6f6d6579184fa5ab9189bc8f1034f1641636f19f9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    5e95e029ad54408520f9305ccb4fd67d

    SHA1

    6aa97fa45d9812a1bb9b3fb94a9bbb217fbc40b2

    SHA256

    8577159f84277dff597dc1cdf12f6774d34941c42eee2687f9c12c10b3f72b18

    SHA512

    f7fdebaa7d764d87ff6916b182e31ceb6e7446e3c99cda58421804f83f2cecff81101c784c4b3cf793ff7795db39a7c0e575666e1d85bac73530be2e0e930238

    Download Submit

  • memory/2196-14-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2196-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-241-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-4-0x0000000000380000-0x00000000003FA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-10-0x0000000000380000-0x00000000003FA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-2-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-0-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2220-232-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.