Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 23:58
Behavioral task
behavioral1
Sample
d7675fd593ef2c42942787ebf9f35b1a.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d7675fd593ef2c42942787ebf9f35b1a.exe
Resource
win10v2004-20240226-en
General
-
Target
d7675fd593ef2c42942787ebf9f35b1a.exe
-
Size
274KB
-
MD5
d7675fd593ef2c42942787ebf9f35b1a
-
SHA1
a24022f1e69eb487c313d47b9308e41d4d9e79a4
-
SHA256
2497676cc466ed3ec9d862a92d96c53941cfe40f00574908a447dec02eaeec8d
-
SHA512
a7fca31263e0eda569c512ba4b459f68dc80a5ee2ba5f7e7b0589d2540f7d2365aab03ee09ae4b0dd9ddc9bf52036bfb75676e97972108616cea562c7fa2d2c8
-
SSDEEP
6144:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyAp08Y:ZMMpXKb0hNGh1kG0HWnAO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" d7675fd593ef2c42942787ebf9f35b1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000b000000013a88-7.dat aspack_v212_v242 behavioral1/files/0x0035000000015d39-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk d7675fd593ef2c42942787ebf9f35b1a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk d7675fd593ef2c42942787ebf9f35b1a.exe -
Executes dropped EXE 1 IoCs
pid Process 1588 HelpMe.exe -
Loads dropped DLL 31 IoCs
pid Process 2768 d7675fd593ef2c42942787ebf9f35b1a.exe 2768 d7675fd593ef2c42942787ebf9f35b1a.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe 1588 HelpMe.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\O: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\Q: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\W: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\X: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\G: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\K: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\P: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\V: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\I: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\J: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\M: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\Y: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\B: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\E: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\L: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\S: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\H: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\N: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\R: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\T: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\A: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\U: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\Z: d7675fd593ef2c42942787ebf9f35b1a.exe File opened (read-only) \??\L: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF d7675fd593ef2c42942787ebf9f35b1a.exe File opened for modification C:\AUTORUN.INF d7675fd593ef2c42942787ebf9f35b1a.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe d7675fd593ef2c42942787ebf9f35b1a.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2768 wrote to memory of 1588 2768 d7675fd593ef2c42942787ebf9f35b1a.exe 28 PID 2768 wrote to memory of 1588 2768 d7675fd593ef2c42942787ebf9f35b1a.exe 28 PID 2768 wrote to memory of 1588 2768 d7675fd593ef2c42942787ebf9f35b1a.exe 28 PID 2768 wrote to memory of 1588 2768 d7675fd593ef2c42942787ebf9f35b1a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7675fd593ef2c42942787ebf9f35b1a.exe"C:\Users\Admin\AppData\Local\Temp\d7675fd593ef2c42942787ebf9f35b1a.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275KB
MD5b2afe012a69d3ddf132e9885a4c545e3
SHA165c758128251be054a99568f73a2872a5c257353
SHA256bc2d022b0621d5b550c2551fb24109434069a720a763f6e6dac1ad0968a651cb
SHA512307f7bb2e34ddbfaa28f80d4a197e6d3b4e2d20011ab7ca8fb213aecf05f02e7d7efa91e6e1ff3d16edd7ae789859cb54ecfad65a3410357b0e303f8b40a1584
-
Filesize
1KB
MD5464ad26b04a22860cd73ed5d77d21b0a
SHA1e9bb913159f7df2a739074d22b832116a986e013
SHA25602396a1692316c84440060799f82a6eea9c193a510c778194f604f6d60b69eae
SHA512081966691731cd9527ec2ec19ad7ca81c7f51ee4c1fd2a1844337a805fb9a3edb95b3a9304eae381ad0d7ab17493b286324051e0dd76002b88660418098e00ba
-
Filesize
950B
MD5f65149eb1f585e8703b026e1cba5ced1
SHA14493dc1be12a67ed8e8b45c644da8ac117520f5c
SHA2563e4160c1f84c08e3e8f99b1a779eba095d592a31b73dd8d33a77bd287985a2fd
SHA512af04869038cca15ac2eb9f6ecc01cf737a54e2120371103adfd27ee383d621199838897dd01ddebd85430550853dda8e7793376dcfe42fc0a6e376e9b82512cf
-
Filesize
273KB
MD52a38138ec8863c64692be7931e0219b1
SHA1aa4fc2a216226d8701f87d35fbabad737f58a340
SHA25635750725047b846160521163bb8d75cbf6268751e0fd056f3dd7b522bcb87413
SHA512865611833f67a9a9f5563ee414512a6a53d843a4d2b944c6d833e6525f4831fc8fc3fd86e29dae76dbf856ebd240816477b730c525ad3a52cb8a5d94e2e299d9
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
274KB
MD5d7675fd593ef2c42942787ebf9f35b1a
SHA1a24022f1e69eb487c313d47b9308e41d4d9e79a4
SHA2562497676cc466ed3ec9d862a92d96c53941cfe40f00574908a447dec02eaeec8d
SHA512a7fca31263e0eda569c512ba4b459f68dc80a5ee2ba5f7e7b0589d2540f7d2365aab03ee09ae4b0dd9ddc9bf52036bfb75676e97972108616cea562c7fa2d2c8