Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 03:40
Behavioral task
behavioral1
Sample
0d3df37aa8a77c5d709214548a8754a6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0d3df37aa8a77c5d709214548a8754a6.exe
Resource
win10v2004-20231215-en
General
-
Target
0d3df37aa8a77c5d709214548a8754a6.exe
-
Size
2.6MB
-
MD5
0d3df37aa8a77c5d709214548a8754a6
-
SHA1
8a59fd156e89136c8e4ccb9d47d6681767415306
-
SHA256
2e865b614c74214691ed21ac380db63c7bbaa4380bc2681a4e531fbb360f7d1f
-
SHA512
ed4039bdcd9c066a4c79181a592ce58ab98d8e41cf9634bae0131fa7eb1feae41a427f67f7d40734498976cdaa17ff3660ff275f65a20d00da9559074d3fa699
-
SSDEEP
24576:zMMpXS0hN0V0HDIH/SGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63x:gwi0L0qK6l
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 0d3df37aa8a77c5d709214548a8754a6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000a00000001224d-2.dat aspack_v212_v242 behavioral1/files/0x000a00000001224d-8.dat aspack_v212_v242 behavioral1/files/0x000a00000001224d-7.dat aspack_v212_v242 behavioral1/files/0x0031000000014852-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 0d3df37aa8a77c5d709214548a8754a6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 0d3df37aa8a77c5d709214548a8754a6.exe -
Executes dropped EXE 1 IoCs
pid Process 3052 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 3032 0d3df37aa8a77c5d709214548a8754a6.exe 3032 0d3df37aa8a77c5d709214548a8754a6.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\S: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\H: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\M: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\X: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\G: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\Q: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\W: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\Z: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\Y: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\T: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\R: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\N: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\P: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\B: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\J: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\O: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\E: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\K: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\L: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\U: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\V: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\I: 0d3df37aa8a77c5d709214548a8754a6.exe File opened (read-only) \??\Q: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 0d3df37aa8a77c5d709214548a8754a6.exe File opened for modification C:\AUTORUN.INF 0d3df37aa8a77c5d709214548a8754a6.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\HelpMe.exe 0d3df37aa8a77c5d709214548a8754a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 3052 3032 0d3df37aa8a77c5d709214548a8754a6.exe 28 PID 3032 wrote to memory of 3052 3032 0d3df37aa8a77c5d709214548a8754a6.exe 28 PID 3032 wrote to memory of 3052 3032 0d3df37aa8a77c5d709214548a8754a6.exe 28 PID 3032 wrote to memory of 3052 3032 0d3df37aa8a77c5d709214548a8754a6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe"C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD51a94e3f4e3912b90b0cf21f33644cd90
SHA10e547cc5f4f581c0ac51d43af6e894f34d8b28d3
SHA25607eb9714622d432e5f07467a53f5bdf019920e857b2041678f09b1bbadd8083e
SHA5125d12c37e587a3aa7f8a038509693d187374a9cca1d2c0ea90470af9f25beb7853a73e8914c0f4b73a1ff8600f189d34f65c6deb8b7baa598cb03e2f1e9936361
-
Filesize
1KB
MD5133a377ece34fefd01c1098d6a71a993
SHA14b06999b2c7ed7ed4e1d13c1a8ae69ee45da6160
SHA2560ea4f3d00f8a72ee9ea9a12065106472019af488fa2b888310b1dacb2c291a63
SHA5121379761005314ceb80ca45e011c2dcbf8d5c9991b7319a1a4ba7733f989bf72f84a41be976b471eb15b43270591f4fd45300ed5814f364e4830e42313210dda2
-
Filesize
950B
MD575dcb45fe4f4960471acdb2f126d1035
SHA187eecacb31d44835e900fd84afceaefd833938e7
SHA25688ca97294f47feb10df09f88b10bd9c939d892152c7934baaaadc89d3dda6883
SHA51285602129fd5d93ce5d4541ca23e00f871275039b2dcb68fb00b302a998b160db9cbb1460b3f9abdbad5bfa585dc1f7ff79c025cb571a6381fd8693d8245634d9
-
Filesize
320KB
MD54d79fa18f8209fbb4c777f53e8b82082
SHA156745a4963b2f2c2fcdd335bb24b886cedc3d442
SHA256729311e99cb7bd8db719c1b16baa1f9ef3bc847b1e38d4f7ab8a625a61c75481
SHA5125addd3fe5cc3514d4a11b611051d6dd2e779bccb1eeab6c870db52da1812bbc406b563aac72250327141945c70640fca532560acd498b7ce99c9554e6c1b64e7
-
Filesize
256KB
MD5f23b6ffb3b96e87bcf7771cdc6158437
SHA123ee457123136f957e1b1a2b4c2208a421f89277
SHA256093f9c458e0e460019af4fb26da79c6e2692e80bf120fcfc515a880f4803ee0c
SHA5122ab66d6489bf2bb4b642afca822055c36976efff04dd29607b0537f5c9d2b49c396d33961d84aa0bb1603a5bb1c5582fabe34fd17388fdb35ac92081f800bb20
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
840KB
MD512ffc3068cfe2c03d0ae2bcc32f10d62
SHA17569fa4fafa0501e5b362057c6dba436d8ed1a94
SHA25634c1de54b062e77c547acb5b9f5d3f933c978d79939610b7797e86780dee8b7d
SHA512d5767b5cea6b0ef37ee90fb971838a6590d07408b1459ab5dfe3798e30ae2d36625f4c12e97757719deefafc87a32143f5dd05c18fb931b9127233148b65ec95
-
Filesize
608KB
MD5f05b87ee7dc5b9732e0be6ae53600d52
SHA1f0ac72d3d3d0f856ffea7dd86e1bc018a429bf11
SHA25654948932968190d8a74e1042ba7656310b2e3d0f2122bccd98280501d121602b
SHA51290a2d4ddd91e8ea79f04a447b491d5414edd1b081551a89e9bfc37a2872a540ee4e47e3f1085579593661a0ea0e1458e326c95aba0416b695f348c4283cd61d8