Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2022, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
Invoice 16-36-55.exe
Resource
win7-20220812-en
General
-
Target
Invoice 16-36-55.exe
-
Size
918KB
-
MD5
c5b76d08e1571dfd19d3ab265ec85b2f
-
SHA1
e9efd2d3ed741511025c1f1b0f1eb1d97aab111d
-
SHA256
10610b7b6275e7e957ad8992b94b7488d1d55ad72a169f1abc5410f10c717484
-
SHA512
bc99f126b422cf373af6f5851e7368471e0505e56a42f207a2d79b407fb3de95ebc1defe1ee0cfbaf46f09b3a514ebd45b3ca0195fdf0f8e2d94fc339138bd6a
-
SSDEEP
12288:Rj9dHqkbfDk3OLqKGTSXzurVj0dEaVj6NAIZuH9lu08jexVbQLJKKmIjYUkt+pLk:RRhHUKGTSXzuBjVZNNelu0FCI
Malware Config
Extracted
formbook
d6iz
FkA/Rc+zw+0paU+GEiQh+g==
u54Xp6nujzFowU4P
EOvDCsjIcMgdORQ=
AuwHDKo90fNowU4P
pgyJWSAeSn6PEafn3w==
3uX1Rw+ed9vrNQ==
jF5ap2Dv9C1PwGrd2Q==
HO748Nunv9ftKA==
Y3nTdCLF3gspa0+HEiQh+g==
sTcJEshxAzXL5wGzPaA=
E/w4u2Vb6henwGrd2Q==
HyiDPgQFmbk/EuMX3D7NrWLX0XU=
E2QDkA/Sapg7+GJV8ULKrGLX0XU=
OSgyD3k1WHd+8vQc48OmEfvTww==
AVwcD5BnNY6o588P2A==
OghAuUYpwNlqf3CtJsAyRL5h
qQbNBg5d+StQ22hVZXWVOK0=
/+bLGhaIK8gdORQ=
2EwZLB/UCA4=
he9L+LfD0TAFfsIA0Q==
39618LhWaZvFYcmHRZXRdlP8r8oP1L0=
s7z1wnx7m8vuarJ0NQUQ+A==
RyUzJ6hvlb/PDPNnfm56kmLX0XU=
lGpuWceFkcDmIxiWm1RDUkZZSLDxqLU=
Gw8aZzXP6A0hbk2DEiQh+g==
A1OnXBwvSGd0zkRERBqUd2LX0XU=
+BPlBoBXZqk880VGyZYJ
g0xlb+WjwuWLgGWbcSv646L/7H8=
QJAb8Ky20/5owU4P
o+yuwjj3Di0jnS9Z23kn/A==
u4BRnGoEFj9P5CyVORHEcFtp
FtwduryHKlPj6wGzPaA=
Xbc3/b5W8AZowU4P
rPhPpSDngq1C+UsryHWVOK0=
syvlOXcw1gQ=
HohUbfe/2AsZ5w+DI/RgP68qWQ2mSgckgg==
0KqIYc+jrOCmG2MV6ag=
6FHvXMR2IjRPwGrd2Q==
R8BFEszM4gVowU4P
IvwA+63AygOngvi4d9akV0Vc0wOKd7VegA==
I4E9TOq41fsEeA+DkHVXNLM=
9AlZ/7rBbsgdORQ=
+OC04r6Eo9F4d2uhayIoDq1wVQWdd7VegA==
e3WsF6RpyjevxK/ZrHp4EfvTww==
QziB7m9B5vkSQT++x0TLqWLX0XU=
TzY/OfABE0hr5lZGyZYJ
2/H8M9zKaqc0LCAsIgKcNKpMywp1
DftB17B9ibO5ClPid8+nkVlURLDxqLU=
8uA1zIIpLnaDxwTEh24+8g==
OIDzSLeLIznIiQ4I+8ZIVUVc0wOKd7VegA==
4lgaJrFzltDngBZkkXWVOK0=
Xsh3w6fahaxN/Zch6GQ88g==
hG58dhQaSFdg8FZGyZYJ
AOjxKuvwlM57Q8WRYUODEfvTww==
OQXRB8m/ZpUo8Gsr1yEgFpVF7umNGg==
18H/jhTkhKJBEIBiA2vpo1taR7DxqLU=
Oy5p8Y8XN2P46wGzPaA=
tvKq+Y4OdX2y
uzj88HJDWoCXPrhdJw3EcFtp
kuRvAsbTc8gdORQ=
Jqg1/uq0TIIl3DD3sVH1oFbZxQ==
x4q5Kp5yCi7Plh9HFNvNrWLX0XU=
3c3UrRPE3B8vX1rIXca+tWs57umNGg==
vKWtpVlnhK6yJ48Qn+OoVt2mQvlwEA==
cki3714.com
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Invoice 16-36-55.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Invoice 16-36-55.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4772 set thread context of 3900 4772 Invoice 16-36-55.exe 94 PID 3900 set thread context of 3008 3900 Invoice 16-36-55.exe 26 PID 2968 set thread context of 3008 2968 msiexec.exe 26 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5032 schtasks.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4772 Invoice 16-36-55.exe 4772 Invoice 16-36-55.exe 1468 powershell.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 1468 powershell.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 3900 Invoice 16-36-55.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe 2968 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4772 Invoice 16-36-55.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 3900 Invoice 16-36-55.exe Token: SeDebugPrivilege 2968 msiexec.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4772 wrote to memory of 1468 4772 Invoice 16-36-55.exe 90 PID 4772 wrote to memory of 1468 4772 Invoice 16-36-55.exe 90 PID 4772 wrote to memory of 1468 4772 Invoice 16-36-55.exe 90 PID 4772 wrote to memory of 5032 4772 Invoice 16-36-55.exe 92 PID 4772 wrote to memory of 5032 4772 Invoice 16-36-55.exe 92 PID 4772 wrote to memory of 5032 4772 Invoice 16-36-55.exe 92 PID 4772 wrote to memory of 3900 4772 Invoice 16-36-55.exe 94 PID 4772 wrote to memory of 3900 4772 Invoice 16-36-55.exe 94 PID 4772 wrote to memory of 3900 4772 Invoice 16-36-55.exe 94 PID 4772 wrote to memory of 3900 4772 Invoice 16-36-55.exe 94 PID 4772 wrote to memory of 3900 4772 Invoice 16-36-55.exe 94 PID 4772 wrote to memory of 3900 4772 Invoice 16-36-55.exe 94 PID 3008 wrote to memory of 2968 3008 Explorer.EXE 95 PID 3008 wrote to memory of 2968 3008 Explorer.EXE 95 PID 3008 wrote to memory of 2968 3008 Explorer.EXE 95 PID 2968 wrote to memory of 1504 2968 msiexec.exe 96 PID 2968 wrote to memory of 1504 2968 msiexec.exe 96 PID 2968 wrote to memory of 1504 2968 msiexec.exe 96
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ilrVEAfwYEj.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ilrVEAfwYEj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E36.tmp"3⤵
- Creates scheduled task(s)
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1504
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f3f19cd5bf00b56d7de787c19ba98930
SHA10e5d346367f5371d04447962da15436a7b5b6cf9
SHA2564462362d058ac0a3ed2f9c86d2b48580e8782ca7cbc23ca5e6a633451dd15cfc
SHA51287f41cc4e37e5a6480d22bcf52bec13e8a25c1c46074561cbcaab12a8a2a7e43ef236010386ce4489ce8db3a025ec0b1836864d75c6d81edc5454d79bf82f810