Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 17:02
Behavioral task
behavioral1
Sample
a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe
Resource
win10v2004-20220812-en
General
-
Target
a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe
-
Size
658KB
-
MD5
607d83d7d7d4ce8338ff2f55051bb8e9
-
SHA1
625e5605674cb295a228b8f0356cef1e60319dab
-
SHA256
a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515
-
SHA512
cfe1b5f3d90f76b8d9d33cd525598534c9c9544ee1461094a801f1fe724ddad23bd4b9ba3b8ebf476eb5409ab7fefd85d9f5ad5702fb04b4d6e224b03a278fdb
-
SSDEEP
6144:ivZ2iKiZ/QAKVfiROzkViZwc0W/1vNuMqTp/CelAaWjSZ/nWnKCXreOC0:q7wVfiRuqPW/dgMqIHdjSFWnKCXo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe RVHOST.exe" a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/1080-132-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/1080-137-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\RVHOST.exe" a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\o: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\q: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\u: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\w: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\z: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\j: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\b: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\i: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\l: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\r: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\x: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\a: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\g: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\h: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\n: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\v: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\f: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\k: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\p: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\s: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\t: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\y: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened (read-only) \??\e: a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\RVHOST.exe a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened for modification C:\Windows\SysWOW64\RVHOST.exe a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File created C:\Windows\SysWOW64\setting.ini a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened for modification C:\Windows\SysWOW64\setting.ini a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\RVHOST.exe a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe File opened for modification C:\Windows\RVHOST.exe a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3924 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 82 PID 1080 wrote to memory of 3924 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 82 PID 1080 wrote to memory of 3924 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 82 PID 3924 wrote to memory of 1160 3924 cmd.exe 84 PID 3924 wrote to memory of 1160 3924 cmd.exe 84 PID 3924 wrote to memory of 1160 3924 cmd.exe 84 PID 1080 wrote to memory of 4156 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 85 PID 1080 wrote to memory of 4156 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 85 PID 1080 wrote to memory of 4156 1080 a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe 85 PID 4156 wrote to memory of 3436 4156 cmd.exe 87 PID 4156 wrote to memory of 3436 4156 cmd.exe 87 PID 4156 wrote to memory of 3436 4156 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe"C:\Users\Admin\AppData\Local\Temp\a3f956d7eae1ee9c013886dc239d36736f58a9389b8cde3758b07b5533120515.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe3⤵PID:3436
-
-