Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2022, 15:20
Static task
static1
Behavioral task
behavioral1
Sample
NEW_ORDER_00041221.EXE.exe
Resource
win7-20220812-en
General
-
Target
NEW_ORDER_00041221.EXE.exe
-
Size
6KB
-
MD5
78715a3a620e1f4b1937a1bd7e764e57
-
SHA1
0b67de4eaccbfe16d41bedc538b2a64bffaecbb0
-
SHA256
37ad2a3bfe4e60fb4ad6f9edf3bd25602ebdbacf2ce429e96c3ec7b4213090e2
-
SHA512
b55a095194d506bd111fe9d93440ee97be0f9418256e839ee3ce892af1206711402c493bdbeca021d4187433c0f080febfa44451e03737c3ddf6f0b6c9ccd91a
-
SSDEEP
96:x+UKECqBC+bbhb4Lp5zV6ur8y2LnfoYYMxaDzNt:xgwHhcLp1V6ur+LfoYY5F
Malware Config
Extracted
formbook
gski
w4dqmeRbroucK1d6Rjoieflr
4aOmGT8hdudzUsv7ZSwieflr
3sTC4jMnhzX+pOJNTZ4=
JcH9cI2V8BEeA0eA
doY0NLSYANTXiHt9/fbsP706cA==
KhN1zCT4Nb5T//UnNQ==
y4/RV2RRqNEr0c4nzNWP
x8sfUpcmiXqxdfls0dSN
rlygM3RQmQ7DliRSBQUKpWJ/FuU=
s672RU9HtT3XWaTvdEidsoLRjZb5J5oE
uaT/Znv3O9WfXs8GBluj2Z2szeMP
QvElhI8JUPHBlRsjsodB5GmUzO0W
2uM5rt7BEpcswwJhDA8JnA8=
TDFfhORfvuRP//UnNQ==
MtPNDl4mh1dSxgZs0dSN
ejpoOLXE/Wa7zMwppl3JOt8faA==
8qPraI3lOFSrRmCSR4EnHQc=
+LOpAwtx0LfGnOJNTZ4=
wMQehpwddDxHII+rVCwieflr
8KPhZrjGG//aix1s0dSN
BsfyXJEZYAPIjgAvbJD/Kw==
hUsZO5Cf7TW7qBNs0dSN
8AVFhnVVn+Bi5gpsdtKa
PTxvvNhJl3V99uJNTZ4=
FNGt4DYFb1SMVsMHqJtl72WUzO0W
KNOt0/v1SVhv8uJNTZ4=
OwXyQlRLkKTklAlsdtKa
rKfyK4D9Pf7ToRVwQ5g=
3qHce9FhZnO9kgZs0dSN
E8YGjcm9CYBB4hIqbJD/Kw==
HOfPGBv2XfK7h/0qbJD/Kw==
OiCFFEDqFh1q
FsedwRag/OHy1TJLYNoDOt8faA==
vnxghcKh941LAX2YREAsL2J/FuU=
3ofaZaOZ7Wv/cr/k9YEnHQc=
Vkeq+/TvVqcuutP7ZCoieflr
qU8tZWj5TctWxPQbM5XN0t9FTRFMjQ==
MyCA6uk7gVBGLnCT
MO3eJ01NrPPxqjBS5blMV1CtnTxelA==
q3VwvBkvQd+ziO8ZTtYDOt8faA==
wInQTFwsRxXioOJNTZ4=
GbyLvKRz3nNIHJnR8IEnHQc=
9Ns8qqkBSgb5dqjj8IEnHQc=
g4Pldta5Fe7zZaDFdX5B5GmUzO0W
oKy07PRSo6Lfjfls0dSN
nEF99ADaK40Uz9cWMw==
/k25lD4H5LIH6mc=
tnG8Q4HtU4oUAYCZswpGe2CdHKIeFbY=
f01EnpxmfjPDOA==
Zg+Jrh7u7LIH6mc=
EL8Nf4xctT715S1cVJw=
JxyHDEjOM0eMJxEyPw==
NTGS3y+b9QgKBnWZ
Y1IFUY4aJT13
PDqeAfhXs5LMdpq1USsieflr
FAeGDEO5CfsOksoHSD8FPA==
dD1UPp0DZLxFB/QRLA==
qnC0NWpkfjPDOA==
0IeuAfNJmGZ3b7YtQJQ=
A78FfJOK4T/BJmKNgtD/Ot8faA==
M92p3zizGhwrkcH4nbrvA+QuTRFMjQ==
eF/CJzzFGbeKW5YMI4c=
9bP5gsxLl212Xtbv8IEnHQc=
rZsDg76qCb28nOJNTZ4=
mezaika.com
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation NEW_ORDER_00041221.EXE.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation NEW_ORDER_00041221.EXE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Elxsztjeo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mrlhuase\\Elxsztjeo.exe\"" NEW_ORDER_00041221.EXE.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2688 set thread context of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2108 set thread context of 2204 2108 NEW_ORDER_00041221.EXE.exe 30 PID 4228 set thread context of 2204 4228 netsh.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4856 powershell.exe 4856 powershell.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 2108 NEW_ORDER_00041221.EXE.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe 4228 netsh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2688 NEW_ORDER_00041221.EXE.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 2108 NEW_ORDER_00041221.EXE.exe Token: SeDebugPrivilege 4228 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2688 wrote to memory of 4856 2688 NEW_ORDER_00041221.EXE.exe 86 PID 2688 wrote to memory of 4856 2688 NEW_ORDER_00041221.EXE.exe 86 PID 2688 wrote to memory of 4856 2688 NEW_ORDER_00041221.EXE.exe 86 PID 2688 wrote to memory of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2688 wrote to memory of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2688 wrote to memory of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2688 wrote to memory of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2688 wrote to memory of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2688 wrote to memory of 2108 2688 NEW_ORDER_00041221.EXE.exe 93 PID 2204 wrote to memory of 4228 2204 Explorer.EXE 94 PID 2204 wrote to memory of 4228 2204 Explorer.EXE 94 PID 2204 wrote to memory of 4228 2204 Explorer.EXE 94 PID 4228 wrote to memory of 2184 4228 netsh.exe 95 PID 4228 wrote to memory of 2184 4228 netsh.exe 95 PID 4228 wrote to memory of 2184 4228 netsh.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe"C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA3AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exeC:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2184
-
-