Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 03:40

General

  • Target

    0d3df37aa8a77c5d709214548a8754a6.exe

  • Size

    2.6MB

  • MD5

    0d3df37aa8a77c5d709214548a8754a6

  • SHA1

    8a59fd156e89136c8e4ccb9d47d6681767415306

  • SHA256

    2e865b614c74214691ed21ac380db63c7bbaa4380bc2681a4e531fbb360f7d1f

  • SHA512

    ed4039bdcd9c066a4c79181a592ce58ab98d8e41cf9634bae0131fa7eb1feae41a427f67f7d40734498976cdaa17ff3660ff275f65a20d00da9559074d3fa699

  • SSDEEP

    24576:zMMpXS0hN0V0HDIH/SGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63x:gwi0L0qK6l

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe
    "C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini.exe

    Filesize

    1024KB

    MD5

    1a94e3f4e3912b90b0cf21f33644cd90

    SHA1

    0e547cc5f4f581c0ac51d43af6e894f34d8b28d3

    SHA256

    07eb9714622d432e5f07467a53f5bdf019920e857b2041678f09b1bbadd8083e

    SHA512

    5d12c37e587a3aa7f8a038509693d187374a9cca1d2c0ea90470af9f25beb7853a73e8914c0f4b73a1ff8600f189d34f65c6deb8b7baa598cb03e2f1e9936361

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    133a377ece34fefd01c1098d6a71a993

    SHA1

    4b06999b2c7ed7ed4e1d13c1a8ae69ee45da6160

    SHA256

    0ea4f3d00f8a72ee9ea9a12065106472019af488fa2b888310b1dacb2c291a63

    SHA512

    1379761005314ceb80ca45e011c2dcbf8d5c9991b7319a1a4ba7733f989bf72f84a41be976b471eb15b43270591f4fd45300ed5814f364e4830e42313210dda2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    75dcb45fe4f4960471acdb2f126d1035

    SHA1

    87eecacb31d44835e900fd84afceaefd833938e7

    SHA256

    88ca97294f47feb10df09f88b10bd9c939d892152c7934baaaadc89d3dda6883

    SHA512

    85602129fd5d93ce5d4541ca23e00f871275039b2dcb68fb00b302a998b160db9cbb1460b3f9abdbad5bfa585dc1f7ff79c025cb571a6381fd8693d8245634d9

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    320KB

    MD5

    4d79fa18f8209fbb4c777f53e8b82082

    SHA1

    56745a4963b2f2c2fcdd335bb24b886cedc3d442

    SHA256

    729311e99cb7bd8db719c1b16baa1f9ef3bc847b1e38d4f7ab8a625a61c75481

    SHA512

    5addd3fe5cc3514d4a11b611051d6dd2e779bccb1eeab6c870db52da1812bbc406b563aac72250327141945c70640fca532560acd498b7ce99c9554e6c1b64e7

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    256KB

    MD5

    f23b6ffb3b96e87bcf7771cdc6158437

    SHA1

    23ee457123136f957e1b1a2b4c2208a421f89277

    SHA256

    093f9c458e0e460019af4fb26da79c6e2692e80bf120fcfc515a880f4803ee0c

    SHA512

    2ab66d6489bf2bb4b642afca822055c36976efff04dd29607b0537f5c9d2b49c396d33961d84aa0bb1603a5bb1c5582fabe34fd17388fdb35ac92081f800bb20

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    840KB

    MD5

    12ffc3068cfe2c03d0ae2bcc32f10d62

    SHA1

    7569fa4fafa0501e5b362057c6dba436d8ed1a94

    SHA256

    34c1de54b062e77c547acb5b9f5d3f933c978d79939610b7797e86780dee8b7d

    SHA512

    d5767b5cea6b0ef37ee90fb971838a6590d07408b1459ab5dfe3798e30ae2d36625f4c12e97757719deefafc87a32143f5dd05c18fb931b9127233148b65ec95

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    608KB

    MD5

    f05b87ee7dc5b9732e0be6ae53600d52

    SHA1

    f0ac72d3d3d0f856ffea7dd86e1bc018a429bf11

    SHA256

    54948932968190d8a74e1042ba7656310b2e3d0f2122bccd98280501d121602b

    SHA512

    90a2d4ddd91e8ea79f04a447b491d5414edd1b081551a89e9bfc37a2872a540ee4e47e3f1085579593661a0ea0e1458e326c95aba0416b695f348c4283cd61d8

  • memory/3032-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/3052-10-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB