Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    64s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2022, 14:35

General

  • Target

    593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe

  • Size

    323KB

  • MD5

    6f6dabe0ac5d705ded06b13d938ab3ec

  • SHA1

    75ecc8f20c9dc3299a6178ba6003c180e05a75b1

  • SHA256

    593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0

  • SHA512

    bc05e82933984c6e520e7bc1a4eb274e9ba0ec36c3a1c02b1c180270b8e0319ad7e574156835d5292fb3e169ebe2099f57001d3f49e44e76722da36bf472a2bc

  • SSDEEP

    6144:lBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:lBxe9dx8Yz6nhtL9C53TV5n+4av

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 12 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 12 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 10 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 45 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
    "C:\Users\Admin\AppData\Local\Temp\593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Sets file execution options in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4772
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies system executable filetype association
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Sets file execution options in registry
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2148
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4744
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1540
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1320
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3588
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3860
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2016
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:112
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1160
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat

    Filesize

    323KB

    MD5

    753ee19695ec41faaf3efd1dae613599

    SHA1

    7d2721a3972cc76938b09add6bff678f5d508ae9

    SHA256

    d8e45d8f5ffde77db9d4b65f09e7d533e0352af99a930f9a929f2aa050ae71cd

    SHA512

    c78a6088f56c0ecccbb96c62c22f409cd0443fa4b57e35d4b2e8f470196295d392a27ccaeec1dcae8b700c79702e966dbd0a490e3df2503fe0aae4472a2c2a6b

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\4K51K4.exe

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\4K51K4.exe

    Filesize

    323KB

    MD5

    20a0dc94f72b6491e7f3bcc62ce4d5df

    SHA1

    a5af557c61e7e2994f57060c1debfafe4999b9df

    SHA256

    f7066d89bd624ca64b3e391822dcf1a8fc15a000898ea77917cc39a2eb6415ea

    SHA512

    1c15a05c676711b42ca652e3fb4f1db3c56395e307d0268d2b328a8f121f67864e4c950426f88d721b65b11ab577700a266a2da382a00795b46aea2371eb311f

  • C:\Windows\SysWOW64\4K51K4.exe

    Filesize

    323KB

    MD5

    20a0dc94f72b6491e7f3bcc62ce4d5df

    SHA1

    a5af557c61e7e2994f57060c1debfafe4999b9df

    SHA256

    f7066d89bd624ca64b3e391822dcf1a8fc15a000898ea77917cc39a2eb6415ea

    SHA512

    1c15a05c676711b42ca652e3fb4f1db3c56395e307d0268d2b328a8f121f67864e4c950426f88d721b65b11ab577700a266a2da382a00795b46aea2371eb311f

  • C:\Windows\SysWOW64\4K51K4.exe

    Filesize

    323KB

    MD5

    20a0dc94f72b6491e7f3bcc62ce4d5df

    SHA1

    a5af557c61e7e2994f57060c1debfafe4999b9df

    SHA256

    f7066d89bd624ca64b3e391822dcf1a8fc15a000898ea77917cc39a2eb6415ea

    SHA512

    1c15a05c676711b42ca652e3fb4f1db3c56395e307d0268d2b328a8f121f67864e4c950426f88d721b65b11ab577700a266a2da382a00795b46aea2371eb311f

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    23ad0d64a4d2c9d5da20149efc0eb89a

    SHA1

    208b76893f687cda1761627fa71267a80762842a

    SHA256

    74449f91f35356a9054d83e05b9374a4f2864ab173489d5653470c9d1eb99ce4

    SHA512

    5a95a427d27d18d0753d2c4e00dc0b61c402bfabdddbfa0a4c2cd6e5dad649386fbfe4a0a5524804d666050688c1bc883f20c3e80bc9221712d04797ffa7512f

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    23ad0d64a4d2c9d5da20149efc0eb89a

    SHA1

    208b76893f687cda1761627fa71267a80762842a

    SHA256

    74449f91f35356a9054d83e05b9374a4f2864ab173489d5653470c9d1eb99ce4

    SHA512

    5a95a427d27d18d0753d2c4e00dc0b61c402bfabdddbfa0a4c2cd6e5dad649386fbfe4a0a5524804d666050688c1bc883f20c3e80bc9221712d04797ffa7512f

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    23ad0d64a4d2c9d5da20149efc0eb89a

    SHA1

    208b76893f687cda1761627fa71267a80762842a

    SHA256

    74449f91f35356a9054d83e05b9374a4f2864ab173489d5653470c9d1eb99ce4

    SHA512

    5a95a427d27d18d0753d2c4e00dc0b61c402bfabdddbfa0a4c2cd6e5dad649386fbfe4a0a5524804d666050688c1bc883f20c3e80bc9221712d04797ffa7512f

  • C:\Windows\SysWOW64\K0L4B0R451.exe

    Filesize

    323KB

    MD5

    ec9cccdc9412119375f16d5749562025

    SHA1

    0a10f355e8de1e8d8f50cc575d557df7ff996a6e

    SHA256

    e32d1bc355222ae366cfd8f7f44793e0111177dda75ee4a9dbebee7cc186b50e

    SHA512

    5d652cc38956ef9528d73fa51c4849768649e6d52058933b2c4acce07c413cf97154f716c957aa1542869aace5372ed0e0490f1bc4cd809e42b858fc5b918c4c

  • C:\Windows\SysWOW64\K0L4B0R451.exe

    Filesize

    323KB

    MD5

    587523a657b62a4e0591c849c63c8015

    SHA1

    d170667bc3d7791acc6900031e21f92b207249df

    SHA256

    3530fbace97cd7b043d250c11b8d7ed4abd6b67da675c358d6ca89d6ad7d7c5d

    SHA512

    3343fe9cbd7de4266f8bfae85160237177c73fbd510afefa8c706947298fa275cc4b042f4ebc609a8c406141d1a68499feb0b727257a7896db8b12df99668650

  • C:\Windows\SysWOW64\K0L4B0R451.exe

    Filesize

    323KB

    MD5

    587523a657b62a4e0591c849c63c8015

    SHA1

    d170667bc3d7791acc6900031e21f92b207249df

    SHA256

    3530fbace97cd7b043d250c11b8d7ed4abd6b67da675c358d6ca89d6ad7d7c5d

    SHA512

    3343fe9cbd7de4266f8bfae85160237177c73fbd510afefa8c706947298fa275cc4b042f4ebc609a8c406141d1a68499feb0b727257a7896db8b12df99668650

  • C:\Windows\SysWOW64\K0L4B0R451.exe

    Filesize

    323KB

    MD5

    587523a657b62a4e0591c849c63c8015

    SHA1

    d170667bc3d7791acc6900031e21f92b207249df

    SHA256

    3530fbace97cd7b043d250c11b8d7ed4abd6b67da675c358d6ca89d6ad7d7c5d

    SHA512

    3343fe9cbd7de4266f8bfae85160237177c73fbd510afefa8c706947298fa275cc4b042f4ebc609a8c406141d1a68499feb0b727257a7896db8b12df99668650

  • C:\Windows\SysWOW64\Kantuk.exe

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\Kantuk.exe

    Filesize

    323KB

    MD5

    9008487477b451aa90adc2007350afbf

    SHA1

    e203941d1a9fb048aa7c3e262b4b008ff2edb1d4

    SHA256

    86cea177c7b56c8f23bea656fa10a8bdf4a12c5751193c4e15aeb50700d6ea3b

    SHA512

    f06e91da767fad1ee3d4a02c619fea4739d1b2385c4a3fb39cfb68a6e4ce6c51897e117e484530c1d654d73b9defc559dcd86d9ed0e368851f4c4ddbf5b7501b

  • C:\Windows\SysWOW64\Kantuk.exe

    Filesize

    323KB

    MD5

    9008487477b451aa90adc2007350afbf

    SHA1

    e203941d1a9fb048aa7c3e262b4b008ff2edb1d4

    SHA256

    86cea177c7b56c8f23bea656fa10a8bdf4a12c5751193c4e15aeb50700d6ea3b

    SHA512

    f06e91da767fad1ee3d4a02c619fea4739d1b2385c4a3fb39cfb68a6e4ce6c51897e117e484530c1d654d73b9defc559dcd86d9ed0e368851f4c4ddbf5b7501b

  • C:\Windows\SysWOW64\Kantuk.exe

    Filesize

    323KB

    MD5

    9008487477b451aa90adc2007350afbf

    SHA1

    e203941d1a9fb048aa7c3e262b4b008ff2edb1d4

    SHA256

    86cea177c7b56c8f23bea656fa10a8bdf4a12c5751193c4e15aeb50700d6ea3b

    SHA512

    f06e91da767fad1ee3d4a02c619fea4739d1b2385c4a3fb39cfb68a6e4ce6c51897e117e484530c1d654d73b9defc559dcd86d9ed0e368851f4c4ddbf5b7501b

  • C:\Windows\SysWOW64\Shell32.com

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

    Filesize

    323KB

    MD5

    13f1419ead7e5094d280072f7e9ddbdf

    SHA1

    38c50722ea31b277741d885667051b9600b55814

    SHA256

    a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503

    SHA512

    2a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c

  • memory/1320-164-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/1540-157-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/2148-138-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3588-169-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3860-175-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/4772-132-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB