Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
583s -
max time network
588s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e.zip
Resource
win10v2004-20220812-en
General
-
Target
8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e.zip
-
Size
293KB
-
MD5
21f42191d0705e7d21a3631cfcb9696d
-
SHA1
28b46f4b6b3431e70b42fd9077152e892bfad0b5
-
SHA256
8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e
-
SHA512
bbb2d2ad3f44c788ae132232ebabd6852f71f50b4be4dc996ec94f8a67f8165ffc0f2ab04d6f76e3806bdc59c84269d0e7efd7916efae757e08f1dd06dd852a1
-
SSDEEP
6144:hG+4B0OYfyppAYMk7Lx7nu+S73gOINHRrAqkIE:k+YfCmytaxAl
Malware Config
Extracted
icedid
2537954433
scainznorka.com
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 39 3684 rundll32.exe 47 3684 rundll32.exe 48 3684 rundll32.exe 53 3684 rundll32.exe 54 3684 rundll32.exe 55 3684 rundll32.exe 57 3684 rundll32.exe 58 3684 rundll32.exe 59 3684 rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\E: cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 728 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3684 rundll32.exe 3684 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1772 7zG.exe Token: 35 1772 7zG.exe Token: SeSecurityPrivilege 1772 7zG.exe Token: SeSecurityPrivilege 1772 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1772 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2300 OpenWith.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3308 3172 WScript.exe 94 PID 3172 wrote to memory of 3308 3172 WScript.exe 94 PID 3308 wrote to memory of 3684 3308 cmd.exe 97 PID 3308 wrote to memory of 3684 3308 cmd.exe 97 PID 4868 wrote to memory of 3360 4868 WScript.exe 105 PID 4868 wrote to memory of 3360 4868 WScript.exe 105 PID 3360 wrote to memory of 3992 3360 cmd.exe 107 PID 3360 wrote to memory of 3992 3360 cmd.exe 107
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e.zip1⤵PID:4696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1780
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e\" -spe -an -ai#7zMap23490:208:7zEvent265911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1772
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\spurning\undeservinglyUnpapered.js"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\spurning\flunkMuscular.cmd" ru"2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\system32\rundll32.exerundll32 spurning\convolving.db,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:3204
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\spurning\undeservinglyUnpapered.js"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\spurning\flunkMuscular.cmd" ru"2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\system32\rundll32.exerundll32 spurning\convolving.db,#13⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\spurning\flunkMuscular.cmd" "1⤵PID:3404
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\spurning\flunkMuscular.cmd1⤵
- Opens file in notepad (likely ransom note)
PID:728
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\spurning\undeservinglyUnpapered.js"1⤵PID:3792
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2300