Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
4de14e1f14410aa4e3fe7dc5fddb0d5c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4de14e1f14410aa4e3fe7dc5fddb0d5c.exe
Resource
win10v2004-20231215-en
General
-
Target
4de14e1f14410aa4e3fe7dc5fddb0d5c.exe
-
Size
1.1MB
-
MD5
4de14e1f14410aa4e3fe7dc5fddb0d5c
-
SHA1
711b726766937fb800a72d42e446e26457f1d9c0
-
SHA256
7208b596206e452421fa5c97cbe6ba44d5380d6fbaacd7e3fb0fd7c11b68eb89
-
SHA512
efe6fd33f87f20df915b7db5a36f97b176c77b3f5e7af821eb068f028a11bb31d39a8ced31c6426f0935c8a980fef4c9a0bef3d531c3c61ea286eb17374e5214
-
SSDEEP
12288:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVqCw+fCbBmBCHB:aEtl9mRda1VICwoCHB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe 2256 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\S: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\R: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\U: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\V: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\Y: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\W: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\Z: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\B: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\Q: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\J: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\M: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\N: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\O: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\H: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\X: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\A: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\G: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\T: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\E: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\I: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\K: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\L: 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened (read-only) \??\O: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened for modification C:\AUTORUN.INF 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\notepad.exe.exe HelpMe.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2756 HelpMe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2756 2256 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe 28 PID 2256 wrote to memory of 2756 2256 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe 28 PID 2256 wrote to memory of 2756 2256 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe 28 PID 2256 wrote to memory of 2756 2256 4de14e1f14410aa4e3fe7dc5fddb0d5c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4de14e1f14410aa4e3fe7dc5fddb0d5c.exe"C:\Users\Admin\AppData\Local\Temp\4de14e1f14410aa4e3fe7dc5fddb0d5c.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD55e2f054443dd56e314db9e1779605c4a
SHA1e88bf5e6d5a907e39822319e273e80f40480fee7
SHA256538a257bd544e9e735424ded670ee3cacd3ee8018c4d6252d71308fc1bcbbfc1
SHA51293c5898d65299ca3edb02c6d8d3c34d47157ae264af03edfcf1c1a47ff80e68d6353f4ae97345cd7834e7958c7c9f63875a423e40642c5fadf381f418a16a621
-
Filesize
1KB
MD5b229407c6502607dc2440c98c2b03a53
SHA1b32355a34be01efec3f0e0312811e7e321c7764a
SHA25634a3d6d842886a8af01b5386041564d11823b20e36a6c07a97a2a130c253a72d
SHA512e857af4c7d46a5d26b5e63648b9225a2668756931fac3a98fb971d06a17e803a6202966f5f4156cc3c99adcd6c2c406d0b233816dd898a696600950647a773ee
-
Filesize
954B
MD5a6fe7448232fe93c99c2c334d8487d63
SHA1293cda230fc33109f8a76a5dbdcd2485f90e3574
SHA25600ff7c4369563562d0b642581ced148ca7ea52e164518b34fe8cb557ab710fb0
SHA51293ce623fec5ac874cc88a2a24707812705feaa51a2a1e8079db7ca7a9f6062432c4d91fbc99ceb5085eab0875d5aeca9454118f33ec4ed454d626df5e5b65002
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.1MB
MD54de14e1f14410aa4e3fe7dc5fddb0d5c
SHA1711b726766937fb800a72d42e446e26457f1d9c0
SHA2567208b596206e452421fa5c97cbe6ba44d5380d6fbaacd7e3fb0fd7c11b68eb89
SHA512efe6fd33f87f20df915b7db5a36f97b176c77b3f5e7af821eb068f028a11bb31d39a8ced31c6426f0935c8a980fef4c9a0bef3d531c3c61ea286eb17374e5214
-
Filesize
656KB
MD542aeb35ba06d64d0dd6ad16a6a6267b1
SHA12d3008e48d0688f81ab4f135688c43ffaee50ca6
SHA256f5e79f674bd393ae30df4133ead14857dc915fda93e35c1f98a89353f330a990
SHA512cf64ebb3ab3c9eaa83a4e2b95f0d9e1c39941f6395916ea7798db20b6f84550968952e79ebbc1a80d326dc591b094f61093c9461007a51fc2d5591a2f99330d5