Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/09/2022, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY.exe
Resource
win7-20220812-en
General
-
Target
PAYMENT COPY.exe
-
Size
1.0MB
-
MD5
40b8041f55f40b2975deb791cdd40f17
-
SHA1
c0a57f918bbdd09d69e2fb380ccea7cc69e65ba8
-
SHA256
9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369
-
SHA512
f3f0cbb4bd3515caeaad79f99e050445e02a6678ecc679206dca1c7b701785fd65086e10e7eedf4ed55a3196f8a2995961b92a7ae1bcab93bf71b11f2ac4f995
-
SSDEEP
24576:iqJo1MNiwGovlW0G4lA0PsUCiyfTwWQn:iqiKlbfPbCiy7w
Malware Config
Extracted
formbook
uymo
A4J+j1lFUiMbPgQD0uzpdg==
F3lajp/JwxgpzPZ3bf9zrK0EzWDU/JY=
bOCwjfx/jOF4Las6GFv7+tQ=
9BDZHgUVSa1ypSWjNcPR
S9u+wp+ai+yEW4OWIQ==
wXxiP8BRWDG2JiTw5XA=
VeumNjNg3QeL/qtw
KYxbMI9RU7eqPpEYg1v7+tQ=
zwfU2Vv4NxXzDLy1IWFrDo3iqOoV1KB3
0XQ3wM3oGntH+iTw5XA=
nx7p2XIfYkHv9+Uu+VKx3l41j3mS454=
+BIOmtNni5xbAo5VEZFYQFAw
tkQa0SXOEjV/0yTw5XA=
YOLHv42Us4eMrHCod80dYluXJzNn
HZdsbBNsdAvOq+cr4CaIfg==
YlQ/0dwFQYtd+DXIxzKUlO8kBc9C9A==
mCL+zS69yZ9DyvVMC4399tE/Xk0V1KB3
+tXLkwCl2LyCqaNnalv7+tQ=
yPzM2bjLKPyixsjWSoWe9NI=
KQPQVL5puBHigv/RmyAU0ExD4GDU/JY=
JvKyLYsRMI2eQH4OQrebYQ==
HvrKKC9HQdKSW4OWIQ==
p9Sx6ie6rYwuxDm5sQbZ
UaaHyOMC+VT0Q3/1g82zLvwXcl1+
66h/Ay3OGvu/EiTw5XA=
PXw/UO+Fm7Bx5SWEL6cRC5YvSwRwCsN/
Q0EktsDXF4M+v+O5jgzO
x9Kw+8TDzSQYyA9uGFpUp06Ywg==
ZLBtbv+o8Pfz3kbXRID+Bs2RKmr1Y04b5A==
Osy8wKGdt5mXpm52/Flbp06Ywg==
a/i5N40UXcn0GNTLR1rmrvkALU0=
KR/wD+0NEqt/W4OWIQ==
2IRS4je8+cSuTIMUEFv7+tQ=
G3pJUeaZF+49W4OWIQ==
cx7olwCt/6K97JpoDHow8EvAl+dw
K6Jc4l8WqbXE
mYFozKXUK7zUgdNTV93qhvE4
BW9RWSo1MY8tRjFxN5Htp06Ywg==
hc+pu5Suqw8QnZmuhctYQFAw
sFAJl/t7tBhCaSe5sQbZ
MG1EEShq9h/ae+c=
1ibC9F5Npwk=
68qwb3sWqbXE
/PjVVbxRrjMwW4OWIQ==
Rsy3gq6/sg==
i5tqtbri2SfQBQ1KElv7+tQ=
eKiFlF5eqbaL/qtw
9q6BF270EWZsBy91cLQWC9Y=
ExLkJvn7EKVudy65sQbZ
TgDl2cXOEr2kLiTw5XA=
c93K2KWlHs9W8STw5XA=
BY6GjF6ClSTg7OO5jgzO
TX5lkGNnpv/R9A==
hOKqhe2K0sB4XAgC0uzpdg==
njAAwivU9M1kwnwLfFv7+tQ=
tuCt6svLyxcDrfhHQrebYQ==
YgFhX0yTVL5EuO8=
BE4kVDdOjvOjDi56Klv7+tQ=
Lr6Qa81hdlH6qzm5sQbZ
RJ92hwuPn3oQqi65sQbZ
C1EcGPQnM5EvQzBwKVv7+tQ=
hO7e83wwjpdAyQF46fGqKv0Xcl1+
4cuR28DW6bUyJdWnW+XtlpmciXEj7Q==
skDwJ+vzKjvc/g==
cdrhdl.com
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation PAYMENT COPY.exe -
Loads dropped DLL 1 IoCs
pid Process 316 raserver.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1100 set thread context of 1476 1100 PAYMENT COPY.exe 33 PID 1476 set thread context of 1236 1476 PAYMENT COPY.exe 24 PID 316 set thread context of 1236 316 raserver.exe 24 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1116 schtasks.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1100 PAYMENT COPY.exe 1100 PAYMENT COPY.exe 1100 PAYMENT COPY.exe 1100 PAYMENT COPY.exe 1100 PAYMENT COPY.exe 1100 PAYMENT COPY.exe 1476 PAYMENT COPY.exe 1476 PAYMENT COPY.exe 1476 PAYMENT COPY.exe 1476 PAYMENT COPY.exe 1448 powershell.exe 1316 powershell.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1476 PAYMENT COPY.exe 1476 PAYMENT COPY.exe 1476 PAYMENT COPY.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe 316 raserver.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1100 PAYMENT COPY.exe Token: SeDebugPrivilege 1476 PAYMENT COPY.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 316 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1316 1100 PAYMENT COPY.exe 27 PID 1100 wrote to memory of 1316 1100 PAYMENT COPY.exe 27 PID 1100 wrote to memory of 1316 1100 PAYMENT COPY.exe 27 PID 1100 wrote to memory of 1316 1100 PAYMENT COPY.exe 27 PID 1100 wrote to memory of 1448 1100 PAYMENT COPY.exe 29 PID 1100 wrote to memory of 1448 1100 PAYMENT COPY.exe 29 PID 1100 wrote to memory of 1448 1100 PAYMENT COPY.exe 29 PID 1100 wrote to memory of 1448 1100 PAYMENT COPY.exe 29 PID 1100 wrote to memory of 1116 1100 PAYMENT COPY.exe 31 PID 1100 wrote to memory of 1116 1100 PAYMENT COPY.exe 31 PID 1100 wrote to memory of 1116 1100 PAYMENT COPY.exe 31 PID 1100 wrote to memory of 1116 1100 PAYMENT COPY.exe 31 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1100 wrote to memory of 1476 1100 PAYMENT COPY.exe 33 PID 1236 wrote to memory of 316 1236 Explorer.EXE 34 PID 1236 wrote to memory of 316 1236 Explorer.EXE 34 PID 1236 wrote to memory of 316 1236 Explorer.EXE 34 PID 1236 wrote to memory of 316 1236 Explorer.EXE 34 PID 316 wrote to memory of 1636 316 raserver.exe 37 PID 316 wrote to memory of 1636 316 raserver.exe 37 PID 316 wrote to memory of 1636 316 raserver.exe 37 PID 316 wrote to memory of 1636 316 raserver.exe 37 PID 316 wrote to memory of 1636 316 raserver.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GTYovZfcuUiN.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GTYovZfcuUiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE438.tmp"3⤵
- Creates scheduled task(s)
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1636
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD576964372b663953f289c0aa2027a2aeb
SHA1ed5c3b7bd58b549dbc5a43bbbb532a4db8ad8135
SHA2567c00d89cea0bc073d17430696bae2e54468d4d4f6cf7776bc0c96a945885b443
SHA5127f8025836f477427f461161c1f666766543b3b58a55ed91c516845e12ecc11c9092e19b4300580978bae02547542d27058a0c3743412798a731d8bf74983599a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5959170a1652aef602a76214b4018e4d2
SHA154d81a3ff99c76ed9ee18243399ea28490bfa208
SHA2563cb6f0c2fe23fb5f687cbd80858431b5a97205a98818db5c7ced4f815813523f
SHA512281d4952b8979fddef7703a4c0566497478cef274afdd07e9168f58211385bdfa35b9be2980872485f1e7364d6c94e2327f6fd0768464eb6edd65a52b56b652f
-
Filesize
1.1MB
MD5f55e5766477de5997da50f12c9c74c91
SHA14dc98900a887be95411f07b9e597c57bdc7dbab3
SHA25690be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69
SHA512983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05