Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 02:41
Behavioral task
behavioral1
Sample
ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Resource
win7-20220812-en
windows7-x64
13 signatures
150 seconds
General
-
Target
ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
-
Size
729KB
-
MD5
45acd575e7b1acd77efd89949ed69fa0
-
SHA1
d651d529f8bb3fe4a064b212d1e3cd23697c13aa
-
SHA256
ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9
-
SHA512
6c3459fbdd1d2aa2e0f4284ce37137eeb03734c96f297107045b6ee30f37019845495290e3f174ed23e5463b9b20f661c009393d71d81f574dcce8b3864f8d64
-
SSDEEP
12288:0PiZktiErttOglVDEQdtHBsD3pM+l+tK81lFlmvodAKBxULEg7KdfHGvMvvZEsAP:5Z3ErttXpEQdtc3pVYTlFlmv+Aq6NKdM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2260 clientbar.exe -
resource yara_rule behavioral2/memory/4644-137-0x0000000000400000-0x00000000005BE000-memory.dmp upx behavioral2/files/0x0005000000022dc6-139.dat upx behavioral2/files/0x0005000000022dc6-140.dat upx behavioral2/memory/2260-143-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4644-144-0x0000000000400000-0x00000000005BE000-memory.dmp upx -
resource yara_rule behavioral2/files/0x0001000000022df3-145.dat vmprotect behavioral2/memory/4644-146-0x0000000010000000-0x0000000010008000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
pid Process 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\cfghw.tmp ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "107" ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "107" ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1" ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\aq.qq.com ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aq.qq.com\ = "107" ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe 2260 clientbar.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSystemtimePrivilege 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Token: SeSystemtimePrivilege 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Token: SeSystemtimePrivilege 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe Token: SeSystemtimePrivilege 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4644 wrote to memory of 2260 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe 83 PID 4644 wrote to memory of 2260 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe 83 PID 4644 wrote to memory of 2260 4644 ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe 83 PID 2260 wrote to memory of 1656 2260 clientbar.exe 84 PID 2260 wrote to memory of 1656 2260 clientbar.exe 84 PID 2260 wrote to memory of 1656 2260 clientbar.exe 84 PID 1656 wrote to memory of 3844 1656 net.exe 86 PID 1656 wrote to memory of 3844 1656 net.exe 86 PID 1656 wrote to memory of 3844 1656 net.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe"C:\Users\Admin\AppData\Local\Temp\ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\windows\temp\clientbar.exec:\windows\temp\clientbar.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\net.exenet stop sharedaccess3⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess4⤵PID:3844
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD50ca87b75fe0cde361fba653f4c67b9f6
SHA195dec5649144b7fe90ac0517c6e14f369e27e0c4
SHA25609df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3
SHA5128725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1
-
Filesize
16KB
MD5dc496987d75b5e592112605a2dbd8532
SHA1758513f98b8765aa17219c5c4a9afd177dee2832
SHA256e07e564b08899a594905bd503090321754df7c1c01acedc91bc3853c41c716dd
SHA512f2949ab15b83f7448619e7b6adead063bd2d1a616249f3bc22c200133303b49d8541b53418ae993770070cd9576abf34237d21f8441b693c8d35c6107066d7f8
-
Filesize
5KB
MD50ca87b75fe0cde361fba653f4c67b9f6
SHA195dec5649144b7fe90ac0517c6e14f369e27e0c4
SHA25609df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3
SHA5128725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1