Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
17/07/2022, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
Resource
win10v2004-20220414-en
General
-
Target
522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
-
Size
1.3MB
-
MD5
5e01622448297de584b36419c58a5cad
-
SHA1
41666daf497c2997e0c326a22a0d87d2d421e602
-
SHA256
522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
-
SHA512
a7cb35c81d272d0218cdfe6ae46484bc993049a19a78275876ef2512107bca738c548779845a7e20f51714e6181ad6181e40382424e01007a66d730265020a44
Malware Config
Extracted
Protocol: smtp- Host:
mail.parwazexpress.com - Port:
587 - Username:
[email protected] - Password:
karachi123
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/files/0x00060000000231c2-136.dat m00nd3v_logger behavioral2/files/0x00060000000231c2-137.dat m00nd3v_logger behavioral2/memory/3176-139-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1400-160-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1400-165-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1400-168-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1400-169-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1252-170-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2440-148-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4716-153-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2440-154-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4716-155-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4716-158-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2440-157-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral2/memory/2440-148-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4716-153-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2440-154-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4716-155-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4716-158-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1400-160-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1400-165-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/2440-157-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1400-168-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1400-169-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1252-170-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 4508 tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe File opened for modification C:\Windows\assembly\Desktop.ini 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2860 set thread context of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 3176 set thread context of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 4508 set thread context of 4716 4508 tmp.exe 86 PID 4508 set thread context of 1400 4508 tmp.exe 87 PID 3176 set thread context of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe File created C:\Windows\assembly\Desktop.ini 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe File opened for modification C:\Windows\assembly\Desktop.ini 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\buyrN\fefu.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 2440 vbc.exe 2440 vbc.exe 4716 vbc.exe 4716 vbc.exe 4716 vbc.exe 2440 vbc.exe 4716 vbc.exe 2440 vbc.exe 4716 vbc.exe 2440 vbc.exe 4716 vbc.exe 2440 vbc.exe 2440 vbc.exe 2440 vbc.exe 4716 vbc.exe 4716 vbc.exe 2440 vbc.exe 2440 vbc.exe 2440 vbc.exe 2440 vbc.exe 4716 vbc.exe 4716 vbc.exe 4716 vbc.exe 4716 vbc.exe 4508 tmp.exe 4508 tmp.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe Token: SeDebugPrivilege 4508 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4508 tmp.exe 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2652 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 80 PID 2860 wrote to memory of 2652 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 80 PID 2860 wrote to memory of 2652 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 80 PID 2652 wrote to memory of 3632 2652 cmd.exe 82 PID 2652 wrote to memory of 3632 2652 cmd.exe 82 PID 2652 wrote to memory of 3632 2652 cmd.exe 82 PID 2860 wrote to memory of 4508 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 83 PID 2860 wrote to memory of 4508 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 83 PID 2860 wrote to memory of 4508 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 83 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 2860 wrote to memory of 3176 2860 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 84 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 3176 wrote to memory of 2440 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 85 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 4716 4508 tmp.exe 86 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 4508 wrote to memory of 1400 4508 tmp.exe 87 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88 PID 3176 wrote to memory of 1252 3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe"C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\buyrN\fefu.exe.lnk" /f3⤵PID:3632
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp87AF.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C14.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:1400
-
-
-
C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe"C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp87AE.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C72.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:1252
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58692b01999e1c418ceed010d17e35260
SHA1a42e6aab98776c1f84a46fbb0b015f57e1ff1ba4
SHA256c6ea4991a26377817eefd32c541b086b1c2f1be9361362a9b24638b33774c673
SHA512d4a16c3f04550ea6dc8049fc34699b16afb0cc2033697a622a49429052872ad874d7728da22687a1847dda96453c57b04669fb0e549e50968d56e0a37ae3493d
-
Filesize
552KB
MD5d2570e352cbfe33f2bad04befa62c5d6
SHA1b8e952d44cdbf5cf4211ad1602087f3f5e256a0a
SHA256291cb8705900743c0ca5e9e6dd124319642234aeb31b6cd3c3ac6e5571692ad0
SHA512bbd883617ce5bd48edba93daab5872be70adb85d2006f712b8e20ebf74954f0b6c50b0a0eecdab0a08b341eb832ab403b35d1aebc8d789dc6235cf5d4ebe7718
-
Filesize
552KB
MD5d2570e352cbfe33f2bad04befa62c5d6
SHA1b8e952d44cdbf5cf4211ad1602087f3f5e256a0a
SHA256291cb8705900743c0ca5e9e6dd124319642234aeb31b6cd3c3ac6e5571692ad0
SHA512bbd883617ce5bd48edba93daab5872be70adb85d2006f712b8e20ebf74954f0b6c50b0a0eecdab0a08b341eb832ab403b35d1aebc8d789dc6235cf5d4ebe7718
-
Filesize
4KB
MD5a44410c464bc23ac615f732de976447c
SHA1e13bb8bfa077dd78dda795b3c21750f217ba4d36
SHA256a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6
SHA51215e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a
-
Filesize
4KB
MD5a44410c464bc23ac615f732de976447c
SHA1e13bb8bfa077dd78dda795b3c21750f217ba4d36
SHA256a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6
SHA51215e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a
-
Filesize
1.3MB
MD55e01622448297de584b36419c58a5cad
SHA141666daf497c2997e0c326a22a0d87d2d421e602
SHA256522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
SHA512a7cb35c81d272d0218cdfe6ae46484bc993049a19a78275876ef2512107bca738c548779845a7e20f51714e6181ad6181e40382424e01007a66d730265020a44