Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

e693ba3857...2d.exe

windows7_x64

10

e693ba3857...2d.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    146s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19/04/2022, 03:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

  • Size

    7.4MB

  • MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

  • SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

  • SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

  • SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

Score
10/10
zhendiscoveryevasionexploitpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Zhen Ransomware

    First seen in September 2020. Drops ransomnote as .ini file.

    ransomwarezhen
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Loads dropped DLL 13 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    "C:\Users\Admin\AppData\Local\Temp\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
      C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Loads dropped DLL
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM ora*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM mysql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM tns*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1080
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM sql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:204
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM postgres*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1060
      • C:\Windows\SysWOW64\takeown.exe
        "C:\Windows\System32\takeown.exe" /F C:\Windows\Web\Wallpaper\Windows\img0.jpg
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" C:\Windows\Web\Wallpaper\Windows\img0.jpg /grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:668
      • C:\Program Files\Windows Defender\mpcmdrun.exe
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        3⤵
        • Deletes Windows Defender Definitions
        PID:1568
      • C:\ProgramData\x64.exe
        C:\ProgramData\x64.exe 04298718c4ed4c0a282605560f30b8f0::72a50cf6d7d1042c8b2514f9768fa499 cfad00e8748eaea::7e9372bd97ed3aec6 25427320e7f946c9::7c3a5807a37a26a9 39d6c0440ea63b::33854dce8ddd35e877 exit
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 212 -s 564
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1604
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    Filesize

    7.4MB

    MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

    SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

    SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

    SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

    Download Submit

  • C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    Filesize

    7.4MB

    MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

    SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

    SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

    SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

    Download Submit

  • C:\ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • \ProgramData\MSWINSCK.OCX
    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

    Download Submit

  • \ProgramData\MSWINSCK.OCX
    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

    Download Submit

  • \ProgramData\MSWINSCK.OCX
    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

    Download Submit

  • \ProgramData\MSWINSCK.OCX
    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

    Download Submit

  • \ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    Filesize

    7.4MB

    MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

    SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

    SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

    SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

    Download Submit

  • \ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    Filesize

    7.4MB

    MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

    SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

    SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

    SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

    Download Submit

  • \ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    Filesize

    7.4MB

    MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

    SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

    SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

    SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

    Download Submit

  • \ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
    Filesize

    7.4MB

    MD5

    1cf5dd5e5b0074edcba997bb52ca95ca

    SHA1

    aa64c566f081986367b805ce3093f188b7fa9af8

    SHA256

    e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

    SHA512

    7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

    Download Submit

  • \ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • \ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • \ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • \ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • \ProgramData\x64.exe
    Filesize

    423KB

    MD5

    1fc80528461d08dad2d9f234fa971add

    SHA1

    1c45209056da5f783cd707e7002597a31befb1c0

    SHA256

    17f606594427c58ff6cdf1270f83aa2595e9168b6cc1618665a1548650a40637

    SHA512

    0a71fd620ac01b031a240450a01af3ce592a228dbfcc74136a680946e36753e5107e8d45bc382baa3f5f30985321f1179fae504e59d13d8f469705b124b96156

    Download Submit

  • memory/1884-62-0x0000000075311000-0x0000000075313000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1884-63-0x00000000047F0000-0x00000000052AA000-memory.dmp

    Filesize

    10.7MB

    Download