Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2022, 09:12

General

  • Target

    249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe

  • Size

    45KB

  • MD5

    696d9a02e0d1000de2852f753c1644ad

  • SHA1

    1ff9a64bf8c876b1d2029464f33eda72a59cb26e

  • SHA256

    249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3

  • SHA512

    8aded539891fe80d264dc3e478a548deffd63ac873034a80038863b1ae2949cfad13321025db5ca48fc53254e32bb5d724fdb3ccbb536d48b0ed34b32fa6ea1f

  • SSDEEP

    768:Q6MDEOgk6guQrhO23k7/9sppE0iKFz89519yFSUKhJJ16c5QFeJ0WZOY0Ag+ae71:gExDPQ9l3ky88x8vTJJ16mQ60WZOY0AP

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe
    "C:\Users\Admin\AppData\Local\Temp\249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\wscriPt.exe
      "C:\Windows\system32\wscriPt.exe" "C:\Program Files (x86)\StormII\StormLib.nqm"
      2⤵
        PID:1620
      • C:\Windows\SysWOW64\wscrIpt.exe
        "C:\Windows\system32\wscrIpt.exe" "C:\Windows\system32\pop2.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.95081.net/2.htm
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1212
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\StormII\StormLib.nqm

      Filesize

      9KB

      MD5

      a26d1b1ca0d52edce481f7c40d7c12ba

      SHA1

      2b87ac768b4763726bc65d1d88aecb7417358863

      SHA256

      627649fbe706ae75bf63d00b251fba80f95ff87ae1987eb83085044d9453c855

      SHA512

      877d6e128a70af7f0782f3ec7c1d13fdf0813e421b659681534ed8e94f33f4c71ad27d5e02a1e79754a430eeb6dbb252e7758422518697b70ee4bea91d2e9a88

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      304B

      MD5

      10e4d5c0af5ac18a3728eb991ee58cc4

      SHA1

      eb525f7f4646c41335c9c3ffdf209a41f9bc29f5

      SHA256

      eeb2acb697139327a0fb9466d307f482a14ff39b0115fe7b634efb1d1528c49e

      SHA512

      25f5f8d9040f2286ccafd2966903d68e26709503689671f8d0e870f030b92a9b06fbc03767b6d47ed50430261b605b58a473ab4008b10217095dc5d479818796

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      07472caec8de6e42e2a5215bb7195e19

      SHA1

      23d5b4a5b517b3e09b5aef9627c5a5e1361db4cd

      SHA256

      17c13cbb9670b0af5e41c458117b07bedb734c3ce8fd8298cc419c640ff50f6b

      SHA512

      8ba67ff5dace54a49aba2bccf432ad4a857b9f9319b5ee0d5263695322002bc2fcc6986f28acf9f49c7d387fea4fbb561f4a4323dcc452b004da2f0d04d93773

    • C:\Windows\SysWOW64\pop2.vbs

      Filesize

      216B

      MD5

      d2855e074948c9f561a6098941b7042b

      SHA1

      88b524946dc5db7ac956647de59dbb5e8735e8ea

      SHA256

      0de0d449ffae418e267c1d03d9f1d349807ce9a026c265f230cc0bc8fe5f08c6

      SHA512

      2c1269b87584d06c8f61cec6014d308dcd98f672c7c6e467c7063f87130fefad045e0c41cbe1e67fc49767038b8bc29aa60e4856e66b9657a83b6e373df008d0

    • memory/1140-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

      Filesize

      8KB