Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

421118bd57...2e.exe

windows7-x64

10

421118bd57...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    421118bd571a834357ec49375308462e.exe

  • Size

    845KB

  • MD5

    421118bd571a834357ec49375308462e

  • SHA1

    30df90656713ea3847b0caf7296aa65d149c55c1

  • SHA256

    1d516331c26fc4b1a10921da6c8866fefdaa138d8d9c8d3da021218e962a482a

  • SHA512

    b8297a0ef67fa97942ef6849ff1fa564811d3b7529f9545224fa8913f0d75c028cf21f9404bb7802866543c18ca76f59d7e75108465b7c0293e100e0765303ec

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2K9KB8NIpYJTCiJ:xEtl9mRda1rKB8NIyX

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\421118bd571a834357ec49375308462e.exe
    "C:\Users\Admin\AppData\Local\Temp\421118bd571a834357ec49375308462e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini.exe
    Filesize

    260KB

    MD5

    08eb34506ff7fc730620eb840b9c4ae1

    SHA1

    0814525d1e88866a10f4085fd7c6fd622bf03dc7

    SHA256

    969d0bc4bb71a5a2b551a3d46aee96cb04d6490ddf652a829fbe608887f1693a

    SHA512

    056f42767970bae61a2d26a21163285a78b910f4588d1a19927af77bd4f131e7427e7e71f2f95c41912e187c10a92d429a556737bb5b1ed4126c42a479a5ca62

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    4d515e55bdbfc89a7f7bdffc2604a389

    SHA1

    88418f75338f49afba5bc6398948dac330865734

    SHA256

    fb235de09fa1a7756c2cd0a5792d2659a698487fb582edfc902db91d2cb0b766

    SHA512

    efacf880da502638f206a126ce669b8f5bd2ea650a4ae0c1e0508e0a898d4aaa4db5663957509de91967b03560b9910478d5b9989ac847f27c48c47b44f11505

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    cfd5104c82653e8c4cfe0e30d0930d9f

    SHA1

    4b0e16e5f64619fe8d0fb79efefc53967334d2a4

    SHA256

    7ca2d708114b982011724bf304810ca56fa3e86f6b966ec9136bcc36ee0e9458

    SHA512

    4360a895611d6efd1689dbae974d4074986fccfc42a928ea8f1b21b4653135eee62278a06007f4fe804e591cbd34aa8f7fc82b38e0144eecc02d7179dc3b4d0a

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    385KB

    MD5

    1bcd4d59da0c647f940839276ac9e7d2

    SHA1

    11fae1d6c7dd6937fd5542df74058b0b4a5c105c

    SHA256

    b7f46633e6e0ed83258284984406577aec7478605d56f55f4d4d1d82a98dd307

    SHA512

    fb0caaa6d3f0c80c553a7cf6efc56da033ac3dfb0a890f6da66147a64783c1a5557627473875f1c72d7762f868b0bdfe5a8984b0c609f6afd20ed92bcedb6f12

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    392KB

    MD5

    07a2155a07c53c924f83f17d31731a4a

    SHA1

    1cd9fd9198fc5641f5aaf1391fb627b362d624a4

    SHA256

    2e6a83f156d5a21ea8692a8a5aa79fdaa98388cc45fbf3015f92953c5a2d08ef

    SHA512

    7f42767a506be17a3e4159edf8b3d93f45f7babd102139328163a40143ca8e85619a4133f26da9ddc169744ebbfe8c456dae156bfc1dda8decc911ff17734ef6

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    193KB

    MD5

    b5902c0f74063f326a876d44e64fdc86

    SHA1

    a90efac297696f3238c04cb74effdd663671aca8

    SHA256

    65a386833c968ec12457904b93e42d4b949e0774fa1061688fa65a66e9c46a04

    SHA512

    2246358211eac0b7d3e69a9fa4bbba5f4d6ae267d4cdd45b0e3477c112f21ce9dd6e809fa0c35e9b393333a148fee7bdb93e1dd710b689923bb87556bbcf4bf2

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    840KB

    MD5

    9ceab6b4251f70590a4cf63e4289e8ae

    SHA1

    a554029c53b79af300aaff7d4949ce661d9f5df5

    SHA256

    67c12fe54530b040271b70e8e746a5fe243c4efa9ddacaa058f9a7396888116a

    SHA512

    4838407fd58a5b484cdf400197047a5ed24e4e5631fcde66646b11e49d56884192ddd06d217987a9379cc8c2b760732e02c9814ad9d2880878a3ab4fd92fd33e

    Download Submit

  • memory/2216-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-236-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2992-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2992-237-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download