Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

478c116d9b...64.exe

windows7-x64

10

478c116d9b...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe

  • Size

    660KB

  • MD5

    affd7cfdd9720f8a044d5e9410923a78

  • SHA1

    80ac3f86c3a31c4516f9077f8c5e990de2068032

  • SHA256

    478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064

  • SHA512

    5468ae683c5d5cf41ae8b961d40a02e827a226a2aa5845c74d20ef0f556145d737d3d8932b0dbae4ff69736c388a931f72a5f33a2775b1a9ac8717ce160b43de

  • SSDEEP

    12288:1kr/10xl0PFS4jwbIsO/arlTT6zncVUJ7vndkrh:+r/10xl04EOIH/cTT6DNGrh

Score
10/10
evasionransomwaretrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe
    "C:\Users\Admin\AppData\Local\Temp\478c116d9bb318b4621c7839c81be36261c38e748a593249f8c9c67789f71064.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:1404
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ispeyzjo\ispeyzjo.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES569C.tmp" "c:\ProgramData\CSC6C51DE26E371487EBAF7863D3245F881.TMP"
        3⤵
          PID:4008
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
        2⤵
          PID:2368
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
          2⤵
            PID:1904
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1220
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2108
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            2⤵
              PID:1812
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
              2⤵
                PID:2576
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
                2⤵
                  PID:3060
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4428
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh advfirewall set currentprofile state off
                    3⤵
                    • Modifies Windows Firewall
                    PID:3988
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4608
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall set opmode mode=disable
                    3⤵
                    • Modifies Windows Firewall
                    PID:1716
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}"
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2592
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2100

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\z2yubeqs.exe
                Filesize

                28KB

                MD5

                ee379bb2de1951ffc406d3a90f3a5f94

                SHA1

                bc9fce35cf2c057391c003128dfac5a467317761

                SHA256

                e0f7e20f5f1fd921301337771fae8d7af2fea18b2e034c78517cfe1c39f89a3a

                SHA512

                b7b369fdb0dc43a99579abe5636912071d1f9724bac1dd0e72f98291339cfd7c921847089f55fbdc9533cb6de55c9678e86ec35db8d5e2620bca91ba7bf030b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES569C.tmp
                Filesize

                25KB

                MD5

                d69236fd6e48ce09cf844033b9211aca

                SHA1

                5500f550237eeb3686321dd2ab4024162ff0badb

                SHA256

                0d43bcf5b3fe55bea4ff725a119a7b265358df66741deece6e7c8a84942d89cf

                SHA512

                c2e7b8d64e47de4b252fc03ce937504fef55f82814060aed1550c80fcb62a58c1c7e2c1e7e4f286260c864f4386b98943ae698a75b8145c595731f1f2d37aee6

                Download Submit

              • \??\c:\ProgramData\CSC6C51DE26E371487EBAF7863D3245F881.TMP
                Filesize

                24KB

                MD5

                b5cd1dab865ae06645aee06a3adb4593

                SHA1

                fc3de66360608f2339d912f82d1075704e3c6465

                SHA256

                7b546e473b65419bd5abd34729dc9bca136aca2714b7989879a55e58991b43c8

                SHA512

                948b4ca873d2e302e9887f4c230a6bd6b04291b1a615c6a524b53c166bbb3be2daa58b27a791c5bf9b5c5cbf7d7b55b4a01d27dd2e0388433d896332a1828353

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\ispeyzjo\ispeyzjo.0.cs
                Filesize

                1KB

                MD5

                e5ed578b429b2183e3aa05e94df9e278

                SHA1

                43701a596dae631cdc0eb482a940cc1edebd6f3f

                SHA256

                1403a91040808d1c057f8edb45157a7d3cb9245b3dc3ae52074e48a093cb93c5

                SHA512

                ca0988657e02b174ac6b34b872c1ce54a89d935ff8d4ce747adaaf2040237fd55da13e76f92c3e01dd57cb153d839725509d7942d1916e0e77580db474bad0cb

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\ispeyzjo\ispeyzjo.cmdline
                Filesize

                236B

                MD5

                87fca89b680876dc4cf3c16fa1523d8a

                SHA1

                64a2ec87b0e3a0d1e07468ab7a10f6468629f1f8

                SHA256

                bf70ab4370ed14b8954b6bd400c35bb556db42bf6e9168261a2d6109f1a4bc52

                SHA512

                d50c9d1efe18979236e819fd768f4ad692bf0742098b2b3a9ec3fa7a54d503d81a4fbf3e92acf854a2d7a245eed1fe2f9e78fe5c35c56925b3d4d09ffe099aca

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\juq5evc3.ico
                Filesize

                23KB

                MD5

                8c9a5448905c6ad6f5a15ad8f102fa56

                SHA1

                185575a9708fe9ff122423e459eeed7098ad11d4

                SHA256

                fc65491d373c30593f9ef53d83959625dc384bc42d551aa77a666d4e9b538104

                SHA512

                2032d1f19ac0734339626531cd77ce0509dbba93260c87505d20998ab66aa3dceee4c94e10d8620cdcc62eacf9e63bbe5357afa2a09abdaa51ca0fde8b9aed50

                Download Submit

              • memory/2592-165-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/2592-169-0x00000000077C0000-0x0000000007E3A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/2592-175-0x0000000007490000-0x0000000007498000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2592-174-0x00000000074A0000-0x00000000074BA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/2592-173-0x0000000007450000-0x000000000745E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2592-172-0x0000000007370000-0x0000000007406000-memory.dmp

                Filesize

                600KB

                Download

              • memory/2592-171-0x0000000007150000-0x000000000715A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2592-170-0x0000000006490000-0x00000000064AA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/2592-168-0x00000000063D0000-0x00000000063EE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/2592-167-0x000000006FCE0000-0x000000006FD2C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2592-166-0x0000000006390000-0x00000000063C2000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2592-164-0x0000000004E20000-0x0000000004E86000-memory.dmp

                Filesize

                408KB

                Download

              • memory/2592-163-0x0000000004D80000-0x0000000004DA2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2592-161-0x0000000002830000-0x0000000002866000-memory.dmp

                Filesize

                216KB

                Download

              • memory/2592-162-0x0000000004EC0000-0x00000000054E8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/5016-133-0x0000000005500000-0x0000000005592000-memory.dmp

                Filesize

                584KB

                Download

              • memory/5016-132-0x0000000000B10000-0x0000000000BB6000-memory.dmp

                Filesize

                664KB

                Download

              • memory/5016-135-0x0000000005DA0000-0x0000000006344000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/5016-136-0x00000000057F0000-0x0000000005856000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5016-137-0x0000000005860000-0x00000000058D6000-memory.dmp

                Filesize

                472KB

                Download

              • memory/5016-138-0x0000000005760000-0x0000000005782000-memory.dmp

                Filesize

                136KB

                Download

              • memory/5016-134-0x00000000055A0000-0x0000000005601000-memory.dmp

                Filesize

                388KB

                Download