Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 04:54

General

  • Target

    5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04a.exe

  • Size

    556KB

  • MD5

    6e02ddce9403b04e594e963342803850

  • SHA1

    27e5d8593d521ca885139c77c2e32e7a8b3eb9b3

  • SHA256

    5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04a

  • SHA512

    d8b8aeffca2a899b3b9539b3996f5f0c3eec962e79b953d5197613f6412c01a8260a9ce5c07a6199c17c1acf8f7402ca4dd8bbb2f9328c05072baf54cef9f9de

  • SSDEEP

    12288:UWT4dAkoyu/r7jhTNjqaQ/bn3bwVfAc2icIDm6pI:Ou/r7VhqhwtnjpI

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04a.exe
    "C:\Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04a.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04amgr.exe
      C:\Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04amgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1620
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5AABC631-4227-11ED-9172-7ADD0904B6AC}.dat

    Filesize

    3KB

    MD5

    928f96331c1a6fd3bf390bc874409204

    SHA1

    52c9736bbe999df098439b962c2f9af1b9404429

    SHA256

    9256ec9a80f2fd119d562abc88990d5fdfbd5acf3399fbcc5796bf511391c2cf

    SHA512

    45718f67c1995f500b4f9f293d7e7f7cc2e48102cfcb3d8924cb6a4e1d9703ca624bc1a0c550955c6fd45a2742d6451e143adf7b1ec0cd404edd30a8e0af7187

  • C:\Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04amgr.exe

    Filesize

    132KB

    MD5

    03458f75016342531765a7def629c6fe

    SHA1

    7e14e6534123ce7e51aafa2ccda4688a4524eeaf

    SHA256

    860fdd78a1ca6dd68db4d64b918ef1fea1734a0650d4aad8c159eaf1e41ba98f

    SHA512

    2db0af32ab82875e50d630798ee81b8a6fef9d1fccd6953fb891e6fc07fc048b30e65fd934ad8f6bd1531d7dcb73129043a219e28f82f55497a84b8b5e9ec198

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UNRIQAZR.txt

    Filesize

    603B

    MD5

    c2c096187d4df9b1caa856450ebade1b

    SHA1

    97f7634d87bb6b6e5ea384feaf298cbf33fd08cd

    SHA256

    364114223852fdea8688e64a3bfa00c347eb804873dbb2ff37fbacc0aa080e99

    SHA512

    f7e51840a6b00af0aa3bf0ece727e2d543577be06b2fb2e817b741e307eb58c2fb5a518dc2a1fef5c13249ee1eb872adc147a0bfbe9072eb4fd70c5845ebe5c2

  • \Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04amgr.exe

    Filesize

    132KB

    MD5

    03458f75016342531765a7def629c6fe

    SHA1

    7e14e6534123ce7e51aafa2ccda4688a4524eeaf

    SHA256

    860fdd78a1ca6dd68db4d64b918ef1fea1734a0650d4aad8c159eaf1e41ba98f

    SHA512

    2db0af32ab82875e50d630798ee81b8a6fef9d1fccd6953fb891e6fc07fc048b30e65fd934ad8f6bd1531d7dcb73129043a219e28f82f55497a84b8b5e9ec198

  • \Users\Admin\AppData\Local\Temp\5d0f8da5c949fc019547826d1b32d86d814d1cf05ee53e2d565202fdbf33b04amgr.exe

    Filesize

    132KB

    MD5

    03458f75016342531765a7def629c6fe

    SHA1

    7e14e6534123ce7e51aafa2ccda4688a4524eeaf

    SHA256

    860fdd78a1ca6dd68db4d64b918ef1fea1734a0650d4aad8c159eaf1e41ba98f

    SHA512

    2db0af32ab82875e50d630798ee81b8a6fef9d1fccd6953fb891e6fc07fc048b30e65fd934ad8f6bd1531d7dcb73129043a219e28f82f55497a84b8b5e9ec198

  • \Windows\SysWOW64\iconhandle.dll

    Filesize

    89KB

    MD5

    ff5e351935f68327176317557d39d148

    SHA1

    782af9b27d5fe6ab8b77e648c0e106024ddfad49

    SHA256

    beccf49b42d153047e4912aa0d00202a5ef9d94f57dfe2a7ce7f43afa338e5bf

    SHA512

    45ebef101a0e0e1630828d4e8dda46523e015b5074009a2ba8fa8a9ab62853f48f49b6bdad2a158ab0f377e6597c905501acf5391ffa74c9768e71f2599fe6cb

  • \Windows\SysWOW64\webad.dll

    Filesize

    92KB

    MD5

    34804338d229cd5d610d2035e31f2bcc

    SHA1

    10c1293ac1f32556af1741ae68751e8c7755a558

    SHA256

    d76bb94b09aa6e982077bc6f8d27687f9948976f1359b21633fffe550e8fa57c

    SHA512

    d50f0fbfcde21ce9ea624cb4925af0bec85d36af10784a598478168daed0dfc748e8260ac37f92a6a95d9b1c85e048f2a29e7c91c5f66a42d08879e57d17e31b

  • \Windows\SysWOW64\webad.dll

    Filesize

    92KB

    MD5

    34804338d229cd5d610d2035e31f2bcc

    SHA1

    10c1293ac1f32556af1741ae68751e8c7755a558

    SHA256

    d76bb94b09aa6e982077bc6f8d27687f9948976f1359b21633fffe550e8fa57c

    SHA512

    d50f0fbfcde21ce9ea624cb4925af0bec85d36af10784a598478168daed0dfc748e8260ac37f92a6a95d9b1c85e048f2a29e7c91c5f66a42d08879e57d17e31b

  • memory/1760-54-0x0000000076181000-0x0000000076183000-memory.dmp

    Filesize

    8KB

  • memory/1760-64-0x0000000000900000-0x0000000000992000-memory.dmp

    Filesize

    584KB

  • memory/1760-59-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1760-58-0x0000000000900000-0x0000000000992000-memory.dmp

    Filesize

    584KB

  • memory/1940-66-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1940-67-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB