Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 11:59
Behavioral task
behavioral1
Sample
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe
Resource
win10v2004-20220812-en
General
-
Target
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe
-
Size
661KB
-
MD5
689481e740f42ffb4feba17baabddf60
-
SHA1
f2dbbbef245ac76d7c337aa6f84a4816a7952391
-
SHA256
bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337
-
SHA512
eed17db502ca8bcde074c71cd69f37372df41e194175636ee16a3c4d278eeb849711c5a5f079ab150fe7ef1b85810b674bc4dd5924ccf3cdfe8fd765e746344c
-
SSDEEP
6144:eVY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bco2KWF:egDhdkq5BCoC5LfWSLTUQpr2Zu19Q3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe scvhosti.exe" bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/3440-132-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/3440-137-0x0000000000400000-0x00000000004A7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\scvhosti.exe" bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3440-132-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe behavioral2/memory/3440-137-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\anhui.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\autorun.ini bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File created C:\Windows\SysWOW64\setting.ini bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\setting.ini bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File created C:\Windows\SysWOW64\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\SysWOW64\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File created C:\Windows\SysWOW64\anhui.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe File opened for modification C:\Windows\scvhosti.exe bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3440 wrote to memory of 3436 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 83 PID 3440 wrote to memory of 3436 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 83 PID 3440 wrote to memory of 3436 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 83 PID 3436 wrote to memory of 5112 3436 cmd.exe 85 PID 3436 wrote to memory of 5112 3436 cmd.exe 85 PID 3436 wrote to memory of 5112 3436 cmd.exe 85 PID 3440 wrote to memory of 532 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 86 PID 3440 wrote to memory of 532 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 86 PID 3440 wrote to memory of 532 3440 bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe 86 PID 532 wrote to memory of 3968 532 cmd.exe 88 PID 532 wrote to memory of 3968 532 cmd.exe 88 PID 532 wrote to memory of 3968 532 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe"C:\Users\Admin\AppData\Local\Temp\bea4aac28a69027efe1af3ad387ce3f89d2b90ea6c9aa6460f64cc4126c38337.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\anhui.exe2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\anhui.exe3⤵PID:3968
-
-