Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe
Resource
win10v2004-20220901-en
General
-
Target
690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe
-
Size
176KB
-
MD5
6edc7217832ad45bef0bc7a00c8dc880
-
SHA1
f1196d0fed56b236d70d8dcdb4c033be1f08424c
-
SHA256
690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b
-
SHA512
6426734861d1b498428141c5aa233dece3a3c5815f835868e57b6289d238ed0138666fd95587d1edfd88f0a6a338b7c04822224b45ca07d636b57f408efcdb9e
-
SSDEEP
3072:sogIIJPyeiKKop5TosVv/jKufybA2d26csLGVoQF9Wu:sogu8VNosZ/jud2lWu
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1176 cmd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.qq5.com/?gg" 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: 33 304 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 304 AUDIODG.EXE Token: 33 304 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 304 AUDIODG.EXE Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe Token: SeShutdownPrivilege 976 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe 976 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1368 wrote to memory of 976 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 27 PID 1368 wrote to memory of 976 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 27 PID 1368 wrote to memory of 976 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 27 PID 1368 wrote to memory of 976 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 27 PID 1368 wrote to memory of 1176 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 30 PID 1368 wrote to memory of 1176 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 30 PID 1368 wrote to memory of 1176 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 30 PID 1368 wrote to memory of 1176 1368 690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe"C:\Users\Admin\AppData\Local\Temp\690fcd482d0528c3ec18ce0fe59d34676b2d85e642597a4041162901458ccf5b.exe"1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:976
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat2⤵
- Deletes itself
PID:1176
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1d41⤵
- Suspicious use of AdjustPrivilegeToken
PID:304
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5febaedd6a1f8eaada6178f347e75eacd
SHA11e99e9c5683cdfcb24382b12a88c9619a78fcc26
SHA25699f428295cfb5d2fcee518bcbecf658a158f8de144eebc98f449c7c8ee7f1d28
SHA51275224d4f9bfddfbd215d6b3b53c89de9bd708f080488f197887a174f3f7e1bd5d553ad744f3ad4caeb3fa3f27749c033ba3e8f3eb20afd983e25ce5346024907
-
Filesize
337B
MD52c0a97a0d14e3c6f98b51269edb100f3
SHA1eac66665206208bf94c95678c5f553b061099f30
SHA25698d8ad688a0f4e3e96b8e99779fe48792a5685b7a1a22734964f416ce5767dd4
SHA512ad0ee648b55c2f636fb93b231623347a30a18a08a731f2270a264486d6807e287421d6e4350741c78e899de8476863fe4998d2068e6d4b4df04fd7955bbff6aa