Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe
Resource
win7-20220414-en
General
-
Target
39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe
-
Size
6.9MB
-
MD5
9e2ebebe5395613570f74fbb81fee5ab
-
SHA1
57d18968757efe10c0a87bba5cc55797653bb352
-
SHA256
39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30
-
SHA512
cb1101a1e978330666099b8b8ececd72fecd9163a15f544c509522bd36be11adf54a8514d37dc306d78a105d4e79b11132b8fc3c35d32187ab55f4ea18e1b580
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00060000000231f2-182.dat acprotect behavioral2/files/0x00060000000231f1-181.dat acprotect -
resource yara_rule behavioral2/files/0x00060000000231f0-148.dat aspack_v212_v242 behavioral2/files/0x00060000000231f0-149.dat aspack_v212_v242 behavioral2/files/0x00060000000231f0-158.dat aspack_v212_v242 behavioral2/files/0x00060000000231f0-167.dat aspack_v212_v242 behavioral2/files/0x00060000000231f0-173.dat aspack_v212_v242 behavioral2/files/0x00060000000231ef-183.dat aspack_v212_v242 behavioral2/files/0x00060000000231ef-187.dat aspack_v212_v242 behavioral2/files/0x00060000000231ef-186.dat aspack_v212_v242 behavioral2/files/0x00060000000231ef-201.dat aspack_v212_v242 -
Executes dropped EXE 9 IoCs
pid Process 4996 Trojan delete.exe 3812 WinlockerBuilder.exe 3600 rutserv.exe 3392 rutserv.exe 1056 rutserv.exe 3496 rutserv.exe 2432 rfusclient.exe 3348 rfusclient.exe 3796 rfusclient.exe -
resource yara_rule behavioral2/files/0x00060000000231ea-134.dat upx behavioral2/files/0x00060000000231ea-135.dat upx behavioral2/memory/3812-136-0x0000000000400000-0x0000000000C89000-memory.dmp upx behavioral2/memory/3812-180-0x0000000000400000-0x0000000000C89000-memory.dmp upx behavioral2/files/0x00060000000231f2-182.dat upx behavioral2/files/0x00060000000231f1-181.dat upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Trojan delete.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 3468 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 4412 taskkill.exe 4932 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings Trojan delete.exe -
Runs .reg file with regedit 1 IoCs
pid Process 340 regedit.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3600 rutserv.exe 3600 rutserv.exe 3600 rutserv.exe 3600 rutserv.exe 3600 rutserv.exe 3600 rutserv.exe 3392 rutserv.exe 3392 rutserv.exe 1056 rutserv.exe 1056 rutserv.exe 3496 rutserv.exe 3496 rutserv.exe 3496 rutserv.exe 3496 rutserv.exe 3496 rutserv.exe 3496 rutserv.exe 2432 rfusclient.exe 2432 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3796 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4412 taskkill.exe Token: SeDebugPrivilege 4932 taskkill.exe Token: SeDebugPrivilege 3600 rutserv.exe Token: SeDebugPrivilege 1056 rutserv.exe Token: SeTakeOwnershipPrivilege 3496 rutserv.exe Token: SeTcbPrivilege 3496 rutserv.exe Token: SeTcbPrivilege 3496 rutserv.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3812 WinlockerBuilder.exe 3600 rutserv.exe 3392 rutserv.exe 1056 rutserv.exe 3496 rutserv.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3032 wrote to memory of 4996 3032 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe 81 PID 3032 wrote to memory of 4996 3032 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe 81 PID 3032 wrote to memory of 4996 3032 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe 81 PID 3032 wrote to memory of 3812 3032 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe 82 PID 3032 wrote to memory of 3812 3032 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe 82 PID 3032 wrote to memory of 3812 3032 39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe 82 PID 4996 wrote to memory of 4636 4996 Trojan delete.exe 83 PID 4996 wrote to memory of 4636 4996 Trojan delete.exe 83 PID 4996 wrote to memory of 4636 4996 Trojan delete.exe 83 PID 4636 wrote to memory of 4960 4636 WScript.exe 84 PID 4636 wrote to memory of 4960 4636 WScript.exe 84 PID 4636 wrote to memory of 4960 4636 WScript.exe 84 PID 4960 wrote to memory of 4412 4960 cmd.exe 86 PID 4960 wrote to memory of 4412 4960 cmd.exe 86 PID 4960 wrote to memory of 4412 4960 cmd.exe 86 PID 4960 wrote to memory of 4932 4960 cmd.exe 88 PID 4960 wrote to memory of 4932 4960 cmd.exe 88 PID 4960 wrote to memory of 4932 4960 cmd.exe 88 PID 4960 wrote to memory of 1724 4960 cmd.exe 89 PID 4960 wrote to memory of 1724 4960 cmd.exe 89 PID 4960 wrote to memory of 1724 4960 cmd.exe 89 PID 4960 wrote to memory of 340 4960 cmd.exe 90 PID 4960 wrote to memory of 340 4960 cmd.exe 90 PID 4960 wrote to memory of 340 4960 cmd.exe 90 PID 4960 wrote to memory of 3468 4960 cmd.exe 91 PID 4960 wrote to memory of 3468 4960 cmd.exe 91 PID 4960 wrote to memory of 3468 4960 cmd.exe 91 PID 4960 wrote to memory of 3600 4960 cmd.exe 92 PID 4960 wrote to memory of 3600 4960 cmd.exe 92 PID 4960 wrote to memory of 3600 4960 cmd.exe 92 PID 4960 wrote to memory of 3392 4960 cmd.exe 94 PID 4960 wrote to memory of 3392 4960 cmd.exe 94 PID 4960 wrote to memory of 3392 4960 cmd.exe 94 PID 4960 wrote to memory of 1056 4960 cmd.exe 95 PID 4960 wrote to memory of 1056 4960 cmd.exe 95 PID 4960 wrote to memory of 1056 4960 cmd.exe 95 PID 3496 wrote to memory of 3348 3496 rutserv.exe 97 PID 3496 wrote to memory of 3348 3496 rutserv.exe 97 PID 3496 wrote to memory of 3348 3496 rutserv.exe 97 PID 3496 wrote to memory of 2432 3496 rutserv.exe 98 PID 3496 wrote to memory of 2432 3496 rutserv.exe 98 PID 3496 wrote to memory of 2432 3496 rutserv.exe 98 PID 2432 wrote to memory of 3796 2432 rfusclient.exe 103 PID 2432 wrote to memory of 3796 2432 rfusclient.exe 103 PID 2432 wrote to memory of 3796 2432 rfusclient.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe"C:\Users\Admin\AppData\Local\Temp\39c629890b83c16730a8f14dcda8433af706d16321c2b690ee31ea3a51a81c30.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\Trojan delete.exe"C:\Users\Admin\AppData\Local\Temp\Trojan delete.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\install.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f5⤵PID:1724
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"5⤵
- Runs .reg file with regedit
PID:340
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
PID:3468
-
-
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3600
-
-
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3392
-
-
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilder.exe"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilder.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3812
-
-
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rutserv.exe"C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rutserv.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rfusclient.exe"C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rfusclient.exe" /tray2⤵
- Executes dropped EXE
PID:3348
-
-
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rfusclient.exe"C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rfusclient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rfusclient.exe"C:\ProgramData\Microsoft\Windows\Главное меню\Программы\Автозагрузка\rfusclient.exe" /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3796
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
480B
MD599db27d776e103cad354b531ee1f20b9
SHA10b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69
-
Filesize
117B
MD565fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
Filesize
11KB
MD51dd5e17dcf6c1f48b45fc15eb8b29e7d
SHA1b4bb5964fd3d1387d15682e6fc412059f0cdc1ec
SHA25634f08df8ef6a61a3689f181d275619ea33667d0267035bedae7e9964c45d4afa
SHA512748daf08e5c1939d89f3e6a005189dc47ec4d11c7548d46d5467ab93367006e702402ff84cf1b8f733fe519e726a99ba6cad75a878d6dd3fea7cb632b98de2d8
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
4.0MB
MD5076a0e333ffffd193a91b6074a943b13
SHA16e1e9627457d5960c07de706214fffc3c2a7334a
SHA256df4c413b6ee2a32cc5eeb5f13bc98fb71713fbc39c6262c4cd64235c40aa1432
SHA5127dc54350dc2b74759d692e22e2dfeae63352bdb919afd7a2b9b67f43df7dab9d8b874ceeb3645597d061acba4c3d360422cb1e92fc54d8cbdd2e46608faf0a96
-
Filesize
4.0MB
MD5076a0e333ffffd193a91b6074a943b13
SHA16e1e9627457d5960c07de706214fffc3c2a7334a
SHA256df4c413b6ee2a32cc5eeb5f13bc98fb71713fbc39c6262c4cd64235c40aa1432
SHA5127dc54350dc2b74759d692e22e2dfeae63352bdb919afd7a2b9b67f43df7dab9d8b874ceeb3645597d061acba4c3d360422cb1e92fc54d8cbdd2e46608faf0a96
-
Filesize
3.0MB
MD50df533cb9a581de63e3522954a681603
SHA1be46afa245289e0d9a84bd1fd1faea8d8c96da5e
SHA256e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3
SHA512c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e
-
Filesize
3.0MB
MD50df533cb9a581de63e3522954a681603
SHA1be46afa245289e0d9a84bd1fd1faea8d8c96da5e
SHA256e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3
SHA512c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e