Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

41e48ab0a5...6c.exe

windows7-x64

10

41e48ab0a5...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41e48ab0a542c733e1825705d8b6346c.exe

  • Size

    533KB

  • MD5

    41e48ab0a542c733e1825705d8b6346c

  • SHA1

    5a24f2bfa964577538307390f303e49ca8ffcd65

  • SHA256

    9dbc93c5c4d375ef336f38f29311099229c8b93ba6106baa034ca6ef21ac4ec2

  • SHA512

    c411b19d38d266eadd8daef8ae54b996630a46670d43c93e5115d94a7557f3588e971f9b0a397ee12b48d3fbc5f480b6522f01aadcced98bfaf21619f5db948b

  • SSDEEP

    6144:282p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilK:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVqi

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41e48ab0a542c733e1825705d8b6346c.exe
    "C:\Users\Admin\AppData\Local\Temp\41e48ab0a542c733e1825705d8b6346c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini.exe
    Filesize

    534KB

    MD5

    cb29631004484b972a31a839e9f0f535

    SHA1

    5450df729921db4df54a264fb66c27b4c753c802

    SHA256

    404c081dbeda5a9e73b4155e063a06241c0393ae9f2de9e3a64d8910c2147c18

    SHA512

    6ffa31694e55689cea8d8cb93cce959a16e023e6f4176cb309fd86d25e6f2d1de5bd52e3f0137a1eee8195d6b236036b7fbb05e9dfd1c486d9c79bac0406d5e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    ea1495cd4029f59eb0214b562571cd23

    SHA1

    31a95d027fb340a0d56fa439cb111c44e0855e2e

    SHA256

    172743d77381b5c14fc4fe292f9b766a334916c89f221a412ebad14468c638a9

    SHA512

    3b3bb863c43a787173d92dba134c616be7b251fe49cd7ce4905b4f08824b25332303656b6d7192ac22946243bb9f88c0a387b88bffce4bf2e5472c0fad9572b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    fb5fac50facd0a0906c32ac10315a46e

    SHA1

    a686265c5fb41b9ac2e9d18c64113a01de168ff7

    SHA256

    d8c1ad1ad4387e76edf96caefabb5d3b2e74a08875dd74f843c6e5cf0eaa91a2

    SHA512

    cff6e22de182ff9591e871eb3a2a0f3d736c3902e8fc5c7073941fbfadf8cf2cfc89b63c25a3063f7a30becbad455d7c230e8a9f8a344cf6f518f74c9fb76df0

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    11KB

    MD5

    871fc1e779d2a9672cc881215a2c9a9f

    SHA1

    c1ad0aff0f193f508ea7323ae05439f967f9585b

    SHA256

    f1198e4ea7166ef79bd892fa68681c8e626b7bb052a902b834319efccf6f6b1d

    SHA512

    8b3f40c8211ea9acd903ea813ca63cc6b6822b32061a2524912eae7cddcce023f08ccd20d8ddb732595cb73592e9ac48014171f937a1b8a90d9359487032f27e

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    37KB

    MD5

    1ab98f1c6086a72df0f3cb416823b63c

    SHA1

    504d34cf546106b44183846ba712136a0ecaacd9

    SHA256

    5e89ea79db8b4b6fd939c50de33951e8c3e65ce0973e00fbaa7b2d2fa9f9b571

    SHA512

    54f0003c909d638fd8eeb88a4908c5cd8de593b35c041363ed54343370183499e33a41d74a74aebcf550bb9eefdc6c59ee543b14d75a9ab03c96ac3aaa2c22c5

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    532KB

    MD5

    06d024193cba53313355193c97398ce0

    SHA1

    0a5bebe99736c3cdd7c0dbb389ab22db0289236c

    SHA256

    68e435cf21ef3c47298ec0f2f125eddb9cdd8682653759de9657fafa95880b05

    SHA512

    7aaa1df60e3feac296487b65c2a0d59ef3671f11f56c62a5bec83142f11edbb1ca4a610d75f87a95df3c21f875316572fa1e2f1e8b2aabd25c254f947f46a048

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    533KB

    MD5

    41e48ab0a542c733e1825705d8b6346c

    SHA1

    5a24f2bfa964577538307390f303e49ca8ffcd65

    SHA256

    9dbc93c5c4d375ef336f38f29311099229c8b93ba6106baa034ca6ef21ac4ec2

    SHA512

    c411b19d38d266eadd8daef8ae54b996630a46670d43c93e5115d94a7557f3588e971f9b0a397ee12b48d3fbc5f480b6522f01aadcced98bfaf21619f5db948b

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    151KB

    MD5

    8b70d3bb695f98d6d1ecaa874cce8252

    SHA1

    aed2e21b034fdc0b1a92dad952ef36e4bbb90440

    SHA256

    f6324c457ba69eb2e478c3d04107c361bb25b58102816268d77d1ef2fe545dd7

    SHA512

    f89fba11acc4fb5f544918fd9bccb2d2cd4bc2c72aff5338e8f8cde40adc91bbc333de79cafbd0b528f1043eaa7efd5bffe4ec0f246810b7a1328dafa8439d05

    Download Submit

  • memory/1708-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1708-4-0x0000000001E70000-0x0000000001EE9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1708-0-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/1708-95-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/1708-236-0x0000000001E70000-0x0000000001EE9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1944-11-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/1944-13-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1944-237-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download