Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

7f8e93f336...dc.exe

windows7-x64

10

7f8e93f336...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2024, 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f8e93f336b2bf2c99e14ed63228fedc.exe

  • Size

    1.1MB

  • MD5

    7f8e93f336b2bf2c99e14ed63228fedc

  • SHA1

    186e534213f07843e341a69b57f6a6e3c9b9446e

  • SHA256

    f7d4a00e95238423ea0c19e44cef16830b488afb2ac3cbb18c0a1aae3750f88c

  • SHA512

    09d2f22ecb49c4f7880a23a1a0a838d5f8e589dd23d4d5038bb50d3bffe6631881a5b8136604855b826c86c74d0c17875392b61e15031ac4c7160210feccc235

  • SSDEEP

    12288:zMMpXKb0hNGh1kG0HWNAuCsltHlYzU+Wgn:zMMpXS0hN0V0HDIHyos

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f8e93f336b2bf2c99e14ed63228fedc.exe
    "C:\Users\Admin\AppData\Local\Temp\7f8e93f336b2bf2c99e14ed63228fedc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1268429524-3929314613-1992311491-1000\desktop.ini.exe
    Filesize

    1.1MB

    MD5

    0c8111da1eb3225397359b01d57513ba

    SHA1

    553a7480c34e0d220c7a99a590ebac2a480be4eb

    SHA256

    474968f9755d96658fdbb339d70c1c2a92870d91a6ba7aaba4e55263801e3258

    SHA512

    a4124d1a39670da8c8f073330bf17127e5c4d3df21c381f8280387b8d8a4f78330a7c3962426289cf8c3d539987ef241f333e50da6031b3592b17d9fe1c8c2b6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    3fa5878aa40d31915874ab896f766071

    SHA1

    81f25a20a7c81c1f1895324940d0362cb5de54fb

    SHA256

    535e30f090e88097685d10f8efaf38c93826f09c6605639890f31203f703d76d

    SHA512

    06704aee1e3dd0f3c886cbe754a108ffadf4b1b9e0a1c2bd47431d0cfddc172b48a29c8d13b0ab029f23613512e2024bdc3ab7c3ce8ba56a8dfd7e4976f45ffc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    44aae7306907d42e838eeeb4c1225b65

    SHA1

    4909c7e4d7f71dd939e7fd0a9b1a4df7249f5e5d

    SHA256

    7f279267b559bca261a52e7e1d4c44055a0af08ad503390d9fa77ff98599b8dd

    SHA512

    06af96085b8f6229b32c4a6020b0024a33f6613847e43ac7fc551232f05245af2bfbabfc9e45371e4d71fba556629ae982aead984202e659f6d1dbe25f6d99be

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    1.1MB

    MD5

    7f8e93f336b2bf2c99e14ed63228fedc

    SHA1

    186e534213f07843e341a69b57f6a6e3c9b9446e

    SHA256

    f7d4a00e95238423ea0c19e44cef16830b488afb2ac3cbb18c0a1aae3750f88c

    SHA512

    09d2f22ecb49c4f7880a23a1a0a838d5f8e589dd23d4d5038bb50d3bffe6631881a5b8136604855b826c86c74d0c17875392b61e15031ac4c7160210feccc235

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    1.1MB

    MD5

    7930f19c44280f3b5228bff5bb968ce5

    SHA1

    a4e04359fb5c6e5f59f6881109f58ea6c32ed5d4

    SHA256

    4cd5b7e79c9958a711b425aeb9e37886c7c9f56bb5e4b708d3b480cd071f39be

    SHA512

    2347f8539d59119cd80eae40993110c56d54cd51612dec3918bd587720fbf1e8a22903db7afe0711fe4dfa3db7f697277c846c778bccf3a4f841a46e4d612656

    Download Submit

  • memory/1364-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1364-240-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-9-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-241-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download