Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2022, 09:26
Behavioral task
behavioral1
Sample
0b7d3217ae50a0433b3a96494d089e05.exe
Resource
win7-20220812-en
General
-
Target
0b7d3217ae50a0433b3a96494d089e05.exe
-
Size
1.1MB
-
MD5
0b7d3217ae50a0433b3a96494d089e05
-
SHA1
012822d29e1ec200b9cf23e10cb0d8a380ec4da6
-
SHA256
89609c41c0c13302695dec877a6863737243e22b414740e0595f62a0c4d1362a
-
SHA512
14a2558b3b56fa9f0f1c31dfe2d65cb5b2574c72f16240b94a642be738d1df49d212ebd94a2440aa8c32ba99d2c5876b632a69027615021f2a5bcc552b8d0888
-
SSDEEP
24576:6AbXH84DRnKCwyElWCAMmKix1x1IDStOX2cBZ8umx7QgbcxWsG2Emy:DL8uokzK6DxcD8uqzbcxWX/my
Malware Config
Extracted
ffdroider
http://103.136.42.153
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 0b7d3217ae50a0433b3a96494d089e05.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
resource yara_rule behavioral2/files/0x0008000000022e04-133.dat aspack_v212_v242 behavioral2/files/0x0008000000022e04-134.dat aspack_v212_v242 behavioral2/files/0x0007000000022e05-175.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4800 0b7d3217ae50a0433b3a96494d089e05.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0b7d3217ae50a0433b3a96494d089e05.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b7d3217ae50a0433b3a96494d089e05.exe" 0b7d3217ae50a0433b3a96494d089e05.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 0b7d3217ae50a0433b3a96494d089e05.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 0b7d3217ae50a0433b3a96494d089e05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 0b7d3217ae50a0433b3a96494d089e05.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 4800 0b7d3217ae50a0433b3a96494d089e05.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4548 wrote to memory of 4800 4548 0b7d3217ae50a0433b3a96494d089e05.exe 84 PID 4548 wrote to memory of 4800 4548 0b7d3217ae50a0433b3a96494d089e05.exe 84 PID 4548 wrote to memory of 4800 4548 0b7d3217ae50a0433b3a96494d089e05.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b7d3217ae50a0433b3a96494d089e05.exe"C:\Users\Admin\AppData\Local\Temp\0b7d3217ae50a0433b3a96494d089e05.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\3582-490\0b7d3217ae50a0433b3a96494d089e05.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\0b7d3217ae50a0433b3a96494d089e05.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD578c42d6817af1ad96cabdf6ff2f7f3da
SHA1abeadcee8d9f00c6ccdb0f9d33edd1006a079384
SHA25638b2c7a1af454d382927f81543d86055886bc028634575050367d052efd26434
SHA51276a3b3e6ae0ea0f17661314fe391ec8b9b580a7ecfee0ebe2d830db3843d5d929d6bf3adb8cb03f6b87212a607ce001700ea3dc305828c817ff017dd3b766811
-
Filesize
1.1MB
MD578c42d6817af1ad96cabdf6ff2f7f3da
SHA1abeadcee8d9f00c6ccdb0f9d33edd1006a079384
SHA25638b2c7a1af454d382927f81543d86055886bc028634575050367d052efd26434
SHA51276a3b3e6ae0ea0f17661314fe391ec8b9b580a7ecfee0ebe2d830db3843d5d929d6bf3adb8cb03f6b87212a607ce001700ea3dc305828c817ff017dd3b766811
-
Filesize
1.1MB
MD55af08e991075f2c1d19f2c434760afe3
SHA132ae27ef209e6b5f7acd937483905c84e3d1b62c
SHA2566ac6fd0db8e4dad3a7d57835e7cc8e6a836491f988b521cc6d919c2bab565cfe
SHA512389b4ba4e6817dc9c68d9ef19d676b3278c4f4559e87ba885ae57e4974dfbb2b1a24bf055e2a6e24a0432b20376e6ea075273b975b88a93fb57aa0a98b71e075