Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 05:18

General

  • Target

    26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe

  • Size

    212KB

  • MD5

    f072cbe3aa6ec798d3d74db2a9a3e6a0

  • SHA1

    a1329d247f94a92eceb5680367d9847ba031c1f2

  • SHA256

    26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806

  • SHA512

    3e48d68a96e5ac53f0bfc901f41d28f8aa4ce01fc673dcb2ccfd8831672a49bdb19171b8c5b6ce04be2090e44c8df8cdaab71ac246e7c206e4472436dd03c21d

  • SSDEEP

    6144:qljASXqcAP6A5PACApvAPDyoAJMShfl4QxsYBO7Czn8DmJ:qJa+IGhflP

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
  • Modifies registry class 60 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
    "C:\Users\Admin\AppData\Local\Temp\26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1088
    • \??\c:\Program Files9914ZC.exe
      "c:\Program Files9914ZC.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Program Files\Internet Explorer\IEXPLORE.exe
        "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.nyni.info:1287/CPAdown/vplay.php
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1680
      • C:\Program Files\Internet Explorer\IEXPLORE.exe
        "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.nyni.info:1287/CPAdown/PPTV(pplive)_forjieku_977.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:432
    • C:\Windows\SysWOW64\WScript.Exe
      WScript.Exe jies.bak.vbs
      2⤵
      • Deletes itself
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files9914ZC.exe

    Filesize

    36KB

    MD5

    c54e70153d9de17018a5a75de4546d3f

    SHA1

    8445cfb5dff592987ab2998984356eabd277f8e9

    SHA256

    5d904029a76cb312f6e2926729ece3fd6416ab048b7b964e9b5d8f25e6df2353

    SHA512

    8fb5d9c685519bb54c78aa3a166af2df4d9b83a56b3425b502860655a5d428516ad832a366b267f159f7aacec8471506b228a185ddcd5168d7c97f2a890228dd

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E959D151-37FB-11ED-9F1A-42A98B637845}.dat

    Filesize

    5KB

    MD5

    4d1631f6c00e22de3a0cff8994aebd03

    SHA1

    f94db9671dcb62b064c9b67ab37d64c511c9dde7

    SHA256

    73fbef0b3bf9511a27ce36776240bb18105d5068a32281569abb8bea98eef1b5

    SHA512

    c3bbb414a3d73c5f7d9c6317517b1547225d87fa7d0a39d9a960ae5a0690cb5425c57d5877daf1b5981387bb3c1357c57a7e6ae4bd6e2740d70a9f0824610477

  • C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

    Filesize

    486B

    MD5

    ce454be99ea889cd057525701dcfa3ed

    SHA1

    a599baf0b858d5c920a2037d3de7744045113b08

    SHA256

    f70634c7c8096612dbc52c81a40a58782fe9749263fa4935990f43081e47f67b

    SHA512

    872604bb5349c6816d7cc89564976fa21f3dbc03e77686828ea397e3c4208efbc3af7ba0b5d1fda1353c766512c326308de62a73d0621d79ed8788321be987a5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IA3FOE81.txt

    Filesize

    608B

    MD5

    d33519a37809dced5243c1b112b40310

    SHA1

    bb5b49553409e75c95931e6048524c115f12c92d

    SHA256

    67bb8257c01884e29bd24615ab2654be742459c3be119c8b4300341924020418

    SHA512

    54d0552aeba8334e6b0210f841df62bc3726a9db6acbedc7a5689d09395025dc5e7cf63c0d5e86e82cbf20801f1bf4a67c5412a2d194b812312986fcbfd8222d

  • memory/1088-56-0x0000000074D61000-0x0000000074D63000-memory.dmp

    Filesize

    8KB