Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe
Resource
win7-20220812-en
General
-
Target
3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe
-
Size
120KB
-
MD5
6811f0e3f548ed3e1ae20c14d5696337
-
SHA1
c8ae6a73b6b4ff522ad4bbf88e0b99f55bba0dd1
-
SHA256
3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab
-
SHA512
257d9744c1aa39c83245e65e47f3c4dd20827efc0db0e8f64ab4aaa71acfc476024ae67a57e8a1c2439e3f9423cb2aeb8cd9b2022bb9897c9c4d90c4d0e63cec
-
SSDEEP
1536:rnySyxBTTYFU3jARV5nmIyjB7xZDDBbrjTosSo2cvoXqoDZyUxnLiUc76Wr5:rySxFQKV5E5TDDB/osSjrXqoN676W1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2128 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe 1380 DesktopLayer.exe -
resource yara_rule behavioral2/files/0x001b00000001d9f9-134.dat upx behavioral2/files/0x001b00000001d9f9-135.dat upx behavioral2/files/0x000400000001e64b-137.dat upx behavioral2/files/0x000400000001e64b-139.dat upx behavioral2/memory/2128-138-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/memory/1380-140-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\px8419.tmp 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989591" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3472987617" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DFA8F454-490A-11ED-B696-4AA92575F981} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989591" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372219633" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989591" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3031423914" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3472987617" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3031579516" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989591" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1380 DesktopLayer.exe 1380 DesktopLayer.exe 1380 DesktopLayer.exe 1380 DesktopLayer.exe 1380 DesktopLayer.exe 1380 DesktopLayer.exe 1380 DesktopLayer.exe 1380 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4960 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2004 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe 4960 iexplore.exe 4960 iexplore.exe 4944 IEXPLORE.EXE 4944 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2128 2004 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe 82 PID 2004 wrote to memory of 2128 2004 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe 82 PID 2004 wrote to memory of 2128 2004 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe 82 PID 2128 wrote to memory of 1380 2128 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe 83 PID 2128 wrote to memory of 1380 2128 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe 83 PID 2128 wrote to memory of 1380 2128 3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe 83 PID 1380 wrote to memory of 4960 1380 DesktopLayer.exe 84 PID 1380 wrote to memory of 4960 1380 DesktopLayer.exe 84 PID 4960 wrote to memory of 4944 4960 iexplore.exe 85 PID 4960 wrote to memory of 4944 4960 iexplore.exe 85 PID 4960 wrote to memory of 4944 4960 iexplore.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe"C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exeC:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4960 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4944
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5cb27387ec034a4f0a3c79303d3c9fb08
SHA15d648bb93f4e41167062d019dc582d353c53db22
SHA256a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc
SHA5126af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603
-
Filesize
24KB
MD5cb27387ec034a4f0a3c79303d3c9fb08
SHA15d648bb93f4e41167062d019dc582d353c53db22
SHA256a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc
SHA5126af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5fceed7a5f76725fb398c6a91ff552899
SHA1237aec000ae7c7c35a639664b1ad6c0d842a0749
SHA2562888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383
SHA512adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD582dc1b5c10eab14c24f7aa6205e47caf
SHA13be78f43b08f5ef77fcba9d4ef7507cf5bb71037
SHA2562a3764ba3c85d5a1807a2085aa22dfc508906122fac2947b8b49b2ba8d5d485d
SHA5122369f9760ca108425a0b409fca5208377d5b40bf3b6f785509014e8af3184b9672ddad470f8e6fda83e6cfc24656b63a3ed212c02e26b9ed07dcb8884f0a18e0
-
C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe
Filesize24KB
MD5cb27387ec034a4f0a3c79303d3c9fb08
SHA15d648bb93f4e41167062d019dc582d353c53db22
SHA256a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc
SHA5126af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603
-
C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe
Filesize24KB
MD5cb27387ec034a4f0a3c79303d3c9fb08
SHA15d648bb93f4e41167062d019dc582d353c53db22
SHA256a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc
SHA5126af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603