Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2024, 12:41

General

  • Target

    a3cf3f2c96208b3fdd58386a08e71ea4.exe

  • Size

    3.0MB

  • MD5

    a3cf3f2c96208b3fdd58386a08e71ea4

  • SHA1

    9ab2c4894cd8bec073655181bae5db6ffd28c707

  • SHA256

    30226dff651f19f70cc1e594fc0232ea73059d7fe163d63c27673258d8efad44

  • SHA512

    e298375492acc4962052d97319351f1a60116d9d7e67c3d20d647f77850c6b34a123936a2fc8231016de0b634dd4d7379d74e8a8d99f94d05e8d98b510d8e406

  • SSDEEP

    12288:Cp4pNfz3ymJnJ8QCFkxCaQTOl26ew+VsLkjrVlQB9FbDTF53nlNFRpO50w9XCfyx:8Etl9mRda1Ww3HA

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3cf3f2c96208b3fdd58386a08e71ea4.exe
    "C:\Users\Admin\AppData\Local\Temp\a3cf3f2c96208b3fdd58386a08e71ea4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

    Filesize

    3.0MB

    MD5

    2858e43bbd91667eea1cf6df5dd6ae59

    SHA1

    6e1aae7a000bdbd5102780e6a2707e3f81f63e12

    SHA256

    54409b1bf541683bbd08e5a1acc0544e149526f578cf76eaee984115150cb68a

    SHA512

    8717721024eb50e95b782c8e5e3c3650bbe0448c0c35a580adbd25866fe8c56936e3b18f4ab4d20d321b0680d1e4d8f990742aaca61a5b14b1264bedd92c7046

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    3c9fcb5c4722beac5eae448a141e5b6b

    SHA1

    93c5b071f69489b3cc0d3c505b924bf5bdd3a397

    SHA256

    46845957f400bb1e3239ac051e3ee2d3611affd0aef99e279ce5a48d39c02f4a

    SHA512

    447f589e226ee0cd05ae218af646dd59b4bc230639af31ba04fabf10b22b720df58399b8e70d1b841dff984aa17d77ba7f159dbc5d67996ae4a12ed552bb11a4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    a0b9739291930094f077744456bff7a1

    SHA1

    845faf287b4be0aee08e32357db737e5a6e160f1

    SHA256

    23cb6178e321ea0d016ddff109c94b6f7d452eb0543627a13348c99cf7511592

    SHA512

    a8b46401ec03dc8744f77a9cd8ff388e8926a680d56f1d5e97dbbf5f50b0e6ee4f3feb11d22917b654dd1d0df36809ee9a6a63c26b4a459b674838221de2845c

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    871KB

    MD5

    04bea124f941f0de28352ffacd074a8a

    SHA1

    cd16837f8baa74463da1cc065cd44385c1a9a8ec

    SHA256

    6c48324a5390175f8ee1209bfcb411a69a37b99b910751ed6297fe6ba4ae0aa3

    SHA512

    4e65696e55fcef7cebf8ea9434fdaa43019226bacdb4f948c612d8ea157f16e2d72097a615faf2b9d1486c6a343e044b85d978a524ae8f5e3f33661492be846b

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    2.9MB

    MD5

    14da2c3f5cac2e3ff39a9253ca19eb58

    SHA1

    a8ee9013b03047a866b644dfc5009098c954ab94

    SHA256

    236357db7c63729ebde1b4ab0353b8396a351dc46bfd4db86596a58e7b3d8ad9

    SHA512

    824eb82d2cab61b966bc24fac5f1f9d26da7357a6589cb9b391e76f6cd204ba3ea1a6998c50081daab8c4c4585849f7751518ea75e10a649f364bb5400bd79ee

  • memory/2196-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2204-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB