Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    124s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 19:24

General

  • Target

    214772eef96c87f6e04c9447384a31e5.exe

  • Size

    124KB

  • MD5

    214772eef96c87f6e04c9447384a31e5

  • SHA1

    a2bf5350b6a36c71d0b9e350e3cea34d285b293a

  • SHA256

    200a33f3776fbe48ce1565851d06e6e8e1462f91e88d3326581e1b4327613bce

  • SHA512

    4fddcc0509e8060263360515b94a116f908407be0ea7e66abfc4b9a3aab310264aaad0ded68921fa1731242f0975941643f8de521b9877f9c5ab921bf85cf096

  • SSDEEP

    3072:q1i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOks5YmMOMYcYY51i/NU8F:Ui/NjO5YBgegD0PHzSv3Oai/NN

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\214772eef96c87f6e04c9447384a31e5.exe
    "C:\Users\Admin\AppData\Local\Temp\214772eef96c87f6e04c9447384a31e5.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4720 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4428
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      PID:4264
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:260
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:2296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\windows.exe

    Filesize

    124KB

    MD5

    f8fef7780fcf87eba49e8b57ca9ccf47

    SHA1

    ac3b352afe4c2fc5fc47ef3302693a78defde507

    SHA256

    c84052843cd236ef4d0c37fa904f962c4b80c3c9a6b72d8ff9b9e6b73e30919c

    SHA512

    0455d942a50c00dbef9ee8b5ae78d94b827de749c802d081d25ba3cdde4851a3e7ae07a6907fcba13424be256ed85ed7c8ad216dc98317dd0f0da8084e1c56ed

  • C:\system.exe

    Filesize

    124KB

    MD5

    ad2a46ec4caf16f205c0c6998cf5edd1

    SHA1

    5f3ca08a76020fda7877ebae68208b2aa12d431f

    SHA256

    ef50147b4551e3b86699de8a11385505f45d752cd459fd14324572d854425c59

    SHA512

    472751cd8bf747b3f473d9ae5f7e8e3efcd8c2940a5453c329187128efcdca21f0a8b8518075cfbe378c95bf5d003e5413481641057f617d5f279a5049048f17