Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 21:00
Behavioral task
behavioral1
Sample
bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
Resource
win10v2004-20220812-en
General
-
Target
bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
-
Size
31KB
-
MD5
6f855b0dcaf12e609058030cedf4c030
-
SHA1
58a5630e99669bc1b35e55dcb7ed5d104f60b905
-
SHA256
bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63
-
SHA512
be69cee35355589582665a96a941d77ea00f35bacd2e982c35cf4d7a48b418fb1319c81a3bad341834fdb5b54280d0ee5938cba2bd4c251eee80b27fb1c70dfc
-
SSDEEP
768:rg8q0xXJrLL/tvdUkTRQ75c0RJG7JxsLoIvCYR/9m:r7Z5HL1CkdQFc0RJpJL
Malware Config
Extracted
joker
http://tttie.oss-cn-shenzhen.aliyuncs.com
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1564 kinst_1_335.exe -
Deletes itself 1 IoCs
pid Process 1928 cmd.exe -
Loads dropped DLL 4 IoCs
pid Process 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 1564 kinst_1_335.exe 1564 kinst_1_335.exe 1564 kinst_1_335.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 kinst_1_335.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\open.ini bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1328 taskkill.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} kinst_1_335.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node kinst_1_335.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID kinst_1_335.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} kinst_1_335.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories kinst_1_335.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\guid = "E6F886451532462698A842076AF9DCA9" kinst_1_335.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "D435E199F3DC26EFD2C33067DD2A678E" kinst_1_335.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1328 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1564 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 30 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1972 wrote to memory of 1928 1972 bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe 31 PID 1928 wrote to memory of 1328 1928 cmd.exe 33 PID 1928 wrote to memory of 1328 1928 cmd.exe 33 PID 1928 wrote to memory of 1328 1928 cmd.exe 33 PID 1928 wrote to memory of 1328 1928 cmd.exe 33 PID 1928 wrote to memory of 1328 1928 cmd.exe 33 PID 1928 wrote to memory of 1328 1928 cmd.exe 33 PID 1928 wrote to memory of 1328 1928 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe"C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe"C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:1564
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe.bat
Filesize330B
MD5a1ad8aaf5b3424949370911b1a684a5b
SHA1d3465e4ba29682a37e9a910fc1a71acc1bc31615
SHA2566bc8795bdd45eaf1de03545ebb9caea21fd3635d7f64d219fc1a965000f1d10a
SHA51264bd4bedcb684f610d4af0a634fff0b54f3e2d9f982015d3a8be13f4816456af2aefbf6a59c066c739e112e3685e2a59ce1e2bd313a52796fcfd16d4a4bdb539
-
Filesize
1.1MB
MD53035693137f153ef3e1213a945d33e00
SHA1175f680ed04a381663a594189750b450a1f86229
SHA256646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1
SHA512802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c
-
Filesize
1.1MB
MD53035693137f153ef3e1213a945d33e00
SHA1175f680ed04a381663a594189750b450a1f86229
SHA256646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1
SHA512802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c
-
Filesize
1.1MB
MD53035693137f153ef3e1213a945d33e00
SHA1175f680ed04a381663a594189750b450a1f86229
SHA256646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1
SHA512802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c
-
Filesize
1.1MB
MD53035693137f153ef3e1213a945d33e00
SHA1175f680ed04a381663a594189750b450a1f86229
SHA256646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1
SHA512802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c
-
Filesize
1.1MB
MD53035693137f153ef3e1213a945d33e00
SHA1175f680ed04a381663a594189750b450a1f86229
SHA256646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1
SHA512802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c
-
Filesize
1.1MB
MD53035693137f153ef3e1213a945d33e00
SHA1175f680ed04a381663a594189750b450a1f86229
SHA256646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1
SHA512802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c