Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
a3cf3f2c96208b3fdd58386a08e71ea4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3cf3f2c96208b3fdd58386a08e71ea4.exe
Resource
win10v2004-20240221-en
General
-
Target
a3cf3f2c96208b3fdd58386a08e71ea4.exe
-
Size
3.0MB
-
MD5
a3cf3f2c96208b3fdd58386a08e71ea4
-
SHA1
9ab2c4894cd8bec073655181bae5db6ffd28c707
-
SHA256
30226dff651f19f70cc1e594fc0232ea73059d7fe163d63c27673258d8efad44
-
SHA512
e298375492acc4962052d97319351f1a60116d9d7e67c3d20d647f77850c6b34a123936a2fc8231016de0b634dd4d7379d74e8a8d99f94d05e8d98b510d8e406
-
SSDEEP
12288:Cp4pNfz3ymJnJ8QCFkxCaQTOl26ew+VsLkjrVlQB9FbDTF53nlNFRpO50w9XCfyx:8Etl9mRda1Ww3HA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" a3cf3f2c96208b3fdd58386a08e71ea4.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk a3cf3f2c96208b3fdd58386a08e71ea4.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 2196 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2204 a3cf3f2c96208b3fdd58386a08e71ea4.exe 2204 a3cf3f2c96208b3fdd58386a08e71ea4.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\M: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\P: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\V: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\X: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\Z: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\K: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\N: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\I: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\L: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\O: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\R: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\A: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\T: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\W: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\B: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\E: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\H: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\Q: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\S: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\G: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\U: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\Y: a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF a3cf3f2c96208b3fdd58386a08e71ea4.exe File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF a3cf3f2c96208b3fdd58386a08e71ea4.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe a3cf3f2c96208b3fdd58386a08e71ea4.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2196 2204 a3cf3f2c96208b3fdd58386a08e71ea4.exe 28 PID 2204 wrote to memory of 2196 2204 a3cf3f2c96208b3fdd58386a08e71ea4.exe 28 PID 2204 wrote to memory of 2196 2204 a3cf3f2c96208b3fdd58386a08e71ea4.exe 28 PID 2204 wrote to memory of 2196 2204 a3cf3f2c96208b3fdd58386a08e71ea4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3cf3f2c96208b3fdd58386a08e71ea4.exe"C:\Users\Admin\AppData\Local\Temp\a3cf3f2c96208b3fdd58386a08e71ea4.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD52858e43bbd91667eea1cf6df5dd6ae59
SHA16e1aae7a000bdbd5102780e6a2707e3f81f63e12
SHA25654409b1bf541683bbd08e5a1acc0544e149526f578cf76eaee984115150cb68a
SHA5128717721024eb50e95b782c8e5e3c3650bbe0448c0c35a580adbd25866fe8c56936e3b18f4ab4d20d321b0680d1e4d8f990742aaca61a5b14b1264bedd92c7046
-
Filesize
1KB
MD53c9fcb5c4722beac5eae448a141e5b6b
SHA193c5b071f69489b3cc0d3c505b924bf5bdd3a397
SHA25646845957f400bb1e3239ac051e3ee2d3611affd0aef99e279ce5a48d39c02f4a
SHA512447f589e226ee0cd05ae218af646dd59b4bc230639af31ba04fabf10b22b720df58399b8e70d1b841dff984aa17d77ba7f159dbc5d67996ae4a12ed552bb11a4
-
Filesize
954B
MD5a0b9739291930094f077744456bff7a1
SHA1845faf287b4be0aee08e32357db737e5a6e160f1
SHA25623cb6178e321ea0d016ddff109c94b6f7d452eb0543627a13348c99cf7511592
SHA512a8b46401ec03dc8744f77a9cd8ff388e8926a680d56f1d5e97dbbf5f50b0e6ee4f3feb11d22917b654dd1d0df36809ee9a6a63c26b4a459b674838221de2845c
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
871KB
MD504bea124f941f0de28352ffacd074a8a
SHA1cd16837f8baa74463da1cc065cd44385c1a9a8ec
SHA2566c48324a5390175f8ee1209bfcb411a69a37b99b910751ed6297fe6ba4ae0aa3
SHA5124e65696e55fcef7cebf8ea9434fdaa43019226bacdb4f948c612d8ea157f16e2d72097a615faf2b9d1486c6a343e044b85d978a524ae8f5e3f33661492be846b
-
Filesize
2.9MB
MD514da2c3f5cac2e3ff39a9253ca19eb58
SHA1a8ee9013b03047a866b644dfc5009098c954ab94
SHA256236357db7c63729ebde1b4ab0353b8396a351dc46bfd4db86596a58e7b3d8ad9
SHA512824eb82d2cab61b966bc24fac5f1f9d26da7357a6589cb9b391e76f6cd204ba3ea1a6998c50081daab8c4c4585849f7751518ea75e10a649f364bb5400bd79ee