Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
194s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
Resource
win7-20220414-en
General
-
Target
5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
-
Size
427KB
-
MD5
cfe882ba290b6bd30bff5848c20554a5
-
SHA1
ceb839a8c04c75844cab7b18916234f7cd093157
-
SHA256
5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201
-
SHA512
c3dd4139b7a0d4192c0c1f5a096a3cfdc59414ce40a8cb52d2ade2bdc966e0678a591bdf25368bbf8173dff7b4d5cce3c0063a0f945302109294e507ab64f509
Malware Config
Signatures
-
Detects PlugX Payload 6 IoCs
resource yara_rule behavioral2/memory/4448-143-0x0000000000E60000-0x0000000000E91000-memory.dmp family_plugx behavioral2/memory/4100-144-0x00000000021B0000-0x00000000021E1000-memory.dmp family_plugx behavioral2/memory/3600-145-0x0000000001830000-0x0000000001861000-memory.dmp family_plugx behavioral2/memory/3600-146-0x0000000001830000-0x0000000001861000-memory.dmp family_plugx behavioral2/memory/1196-148-0x0000000000790000-0x00000000007C1000-memory.dmp family_plugx behavioral2/memory/1196-149-0x0000000000790000-0x00000000007C1000-memory.dmp family_plugx -
Executes dropped EXE 2 IoCs
pid Process 4100 hkcmd.exe 4448 hkcmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe -
Loads dropped DLL 2 IoCs
pid Process 4100 hkcmd.exe 4448 hkcmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003400350030003200430044003500380037003600300039004300460039000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3600 svchost.exe 3600 svchost.exe 3600 svchost.exe 3600 svchost.exe 3600 svchost.exe 3600 svchost.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 3600 svchost.exe 3600 svchost.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 3600 svchost.exe 3600 svchost.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 3600 svchost.exe 3600 svchost.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 3600 svchost.exe 3600 svchost.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe 1196 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3600 svchost.exe 1196 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4100 hkcmd.exe Token: SeTcbPrivilege 4100 hkcmd.exe Token: SeDebugPrivilege 4448 hkcmd.exe Token: SeTcbPrivilege 4448 hkcmd.exe Token: SeDebugPrivilege 3600 svchost.exe Token: SeTcbPrivilege 3600 svchost.exe Token: SeDebugPrivilege 1196 msiexec.exe Token: SeTcbPrivilege 1196 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2688 wrote to memory of 4100 2688 5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe 81 PID 2688 wrote to memory of 4100 2688 5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe 81 PID 2688 wrote to memory of 4100 2688 5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe 81 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 4448 wrote to memory of 3600 4448 hkcmd.exe 84 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85 PID 3600 wrote to memory of 1196 3600 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe"C:\Users\Admin\AppData\Local\Temp\5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\ProgramData\AVck\hkcmd.exeC:\ProgramData\AVck\hkcmd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 36003⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51b49645bc75c8353c1bf0d9feb3af7e5
SHA15684b5d6d42bf284cfd5537f0300371c3f006314
SHA25687fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533
SHA512b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e
-
Filesize
122KB
MD51546b7616bea033524a81939983bc766
SHA1e0a1751cdb7c0d3eb486ea70faeec13a0b352fb4
SHA256034e116d7e575029461af32ddd04494d67a62d4fe929e779c51b34d106ebc5e6
SHA5126c7c84f29fbd33e6c3ff6ec14ff1d860beee0bb03703b26798757e2706098f6bad7a245a201f5de82a12f77c394ef30931636abf5f6b71c0d1833d1dd53fc8cb
-
Filesize
2KB
MD51b49645bc75c8353c1bf0d9feb3af7e5
SHA15684b5d6d42bf284cfd5537f0300371c3f006314
SHA25687fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533
SHA512b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e
-
Filesize
169KB
MD523f2c3dbdb65c898a11e7f4ddc598a10
SHA1cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c
SHA256a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677
SHA5120e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a
-
Filesize
169KB
MD523f2c3dbdb65c898a11e7f4ddc598a10
SHA1cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c
SHA256a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677
SHA5120e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a
-
Filesize
2KB
MD51b49645bc75c8353c1bf0d9feb3af7e5
SHA15684b5d6d42bf284cfd5537f0300371c3f006314
SHA25687fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533
SHA512b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e
-
Filesize
122KB
MD51546b7616bea033524a81939983bc766
SHA1e0a1751cdb7c0d3eb486ea70faeec13a0b352fb4
SHA256034e116d7e575029461af32ddd04494d67a62d4fe929e779c51b34d106ebc5e6
SHA5126c7c84f29fbd33e6c3ff6ec14ff1d860beee0bb03703b26798757e2706098f6bad7a245a201f5de82a12f77c394ef30931636abf5f6b71c0d1833d1dd53fc8cb
-
Filesize
2KB
MD51b49645bc75c8353c1bf0d9feb3af7e5
SHA15684b5d6d42bf284cfd5537f0300371c3f006314
SHA25687fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533
SHA512b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e
-
Filesize
169KB
MD523f2c3dbdb65c898a11e7f4ddc598a10
SHA1cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c
SHA256a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677
SHA5120e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a
-
Filesize
169KB
MD523f2c3dbdb65c898a11e7f4ddc598a10
SHA1cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c
SHA256a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677
SHA5120e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a