Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 11:59
Behavioral task
behavioral1
Sample
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe
Resource
win10v2004-20220812-en
General
-
Target
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe
-
Size
661KB
-
MD5
689481e740f42ffb4feba17baabddf60
-
SHA1
f2dbbbef245ac76d7c337aa6f84a4816a7952391
-
SHA256
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337
-
SHA512
eed17db502ca8bcde074c71cd69f37372df41e194175636ee16a3c4d278eeb849711c5a5f079ab150fe7ef1b85810b674bc4dd5924ccf3cdfe8fd765e746344c
-
SSDEEP
6144:eVY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bco2KWF:egDhdkq5BCoC5LfWSLTUQpr2Zu19Q3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe scvhosti.exe" bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral1/memory/1896-61-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/1896-62-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/1896-63-0x0000000000400000-0x00000000004A7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\scvhosti.exe" bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1896-61-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe behavioral1/memory/1896-62-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe behavioral1/memory/1896-63-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\setting.ini bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\setting.ini bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File created C:\Windows\SysWOW64\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File created C:\Windows\SysWOW64\anhui.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\anhui.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\autorun.ini bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1896 wrote to memory of 1816 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 28 PID 1896 wrote to memory of 1816 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 28 PID 1896 wrote to memory of 1816 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 28 PID 1896 wrote to memory of 1816 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 28 PID 1816 wrote to memory of 1576 1816 cmd.exe 30 PID 1816 wrote to memory of 1576 1816 cmd.exe 30 PID 1816 wrote to memory of 1576 1816 cmd.exe 30 PID 1816 wrote to memory of 1576 1816 cmd.exe 30 PID 1896 wrote to memory of 1584 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 31 PID 1896 wrote to memory of 1584 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 31 PID 1896 wrote to memory of 1584 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 31 PID 1896 wrote to memory of 1584 1896 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 31 PID 1584 wrote to memory of 1552 1584 cmd.exe 33 PID 1584 wrote to memory of 1552 1584 cmd.exe 33 PID 1584 wrote to memory of 1552 1584 cmd.exe 33 PID 1584 wrote to memory of 1552 1584 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe"C:\Users\Admin\AppData\Local\Temp\bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\anhui.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\anhui.exe3⤵PID:1552
-
-