Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/10/2022, 09:12
Static task
static1
Behavioral task
behavioral1
Sample
249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe
Resource
win10v2004-20220812-en
General
-
Target
249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe
-
Size
45KB
-
MD5
696d9a02e0d1000de2852f753c1644ad
-
SHA1
1ff9a64bf8c876b1d2029464f33eda72a59cb26e
-
SHA256
249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3
-
SHA512
8aded539891fe80d264dc3e478a548deffd63ac873034a80038863b1ae2949cfad13321025db5ca48fc53254e32bb5d724fdb3ccbb536d48b0ed34b32fa6ea1f
-
SSDEEP
768:Q6MDEOgk6guQrhO23k7/9sppE0iKFz89519yFSUKhJJ16c5QFeJ0WZOY0Ag+ae71:gExDPQ9l3ky88x8vTJJ16mQ60WZOY0AP
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe -
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\taoY.ico 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe File created C:\Windows\SysWOW64\pop2.vbs 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\StormII\StormLib.nqm 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\95081.net IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\95081.net\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AAA6D71-4BF6-11ED-BD9E-FAB5137186BE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.95081.net IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.95081.net\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.95081.net\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\95081.net\Total = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\95081.net\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371937595" iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nqm 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.nqm\ = "JSEFile" 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 324 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1212 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1212 iexplore.exe 1212 iexplore.exe 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 1620 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 27 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 1140 wrote to memory of 2044 1140 249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe 28 PID 2044 wrote to memory of 1212 2044 wscrIpt.exe 29 PID 2044 wrote to memory of 1212 2044 wscrIpt.exe 29 PID 2044 wrote to memory of 1212 2044 wscrIpt.exe 29 PID 2044 wrote to memory of 1212 2044 wscrIpt.exe 29 PID 1212 wrote to memory of 324 1212 iexplore.exe 31 PID 1212 wrote to memory of 324 1212 iexplore.exe 31 PID 1212 wrote to memory of 324 1212 iexplore.exe 31 PID 1212 wrote to memory of 324 1212 iexplore.exe 31 PID 1212 wrote to memory of 324 1212 iexplore.exe 31 PID 1212 wrote to memory of 324 1212 iexplore.exe 31 PID 1212 wrote to memory of 324 1212 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe"C:\Users\Admin\AppData\Local\Temp\249ee777601bd3b609bc00d0f1dc6ff50e0d7c17cfd24d580dc650bc9b1a73c3.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\wscriPt.exe"C:\Windows\system32\wscriPt.exe" "C:\Program Files (x86)\StormII\StormLib.nqm"2⤵PID:1620
-
-
C:\Windows\SysWOW64\wscrIpt.exe"C:\Windows\system32\wscrIpt.exe" "C:\Windows\system32\pop2.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.95081.net/2.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:324
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5a26d1b1ca0d52edce481f7c40d7c12ba
SHA12b87ac768b4763726bc65d1d88aecb7417358863
SHA256627649fbe706ae75bf63d00b251fba80f95ff87ae1987eb83085044d9453c855
SHA512877d6e128a70af7f0782f3ec7c1d13fdf0813e421b659681534ed8e94f33f4c71ad27d5e02a1e79754a430eeb6dbb252e7758422518697b70ee4bea91d2e9a88
-
Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD510e4d5c0af5ac18a3728eb991ee58cc4
SHA1eb525f7f4646c41335c9c3ffdf209a41f9bc29f5
SHA256eeb2acb697139327a0fb9466d307f482a14ff39b0115fe7b634efb1d1528c49e
SHA51225f5f8d9040f2286ccafd2966903d68e26709503689671f8d0e870f030b92a9b06fbc03767b6d47ed50430261b605b58a473ab4008b10217095dc5d479818796
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD507472caec8de6e42e2a5215bb7195e19
SHA123d5b4a5b517b3e09b5aef9627c5a5e1361db4cd
SHA25617c13cbb9670b0af5e41c458117b07bedb734c3ce8fd8298cc419c640ff50f6b
SHA5128ba67ff5dace54a49aba2bccf432ad4a857b9f9319b5ee0d5263695322002bc2fcc6986f28acf9f49c7d387fea4fbb561f4a4323dcc452b004da2f0d04d93773
-
Filesize
216B
MD5d2855e074948c9f561a6098941b7042b
SHA188b524946dc5db7ac956647de59dbb5e8735e8ea
SHA2560de0d449ffae418e267c1d03d9f1d349807ce9a026c265f230cc0bc8fe5f08c6
SHA5122c1269b87584d06c8f61cec6014d308dcd98f672c7c6e467c7063f87130fefad045e0c41cbe1e67fc49767038b8bc29aa60e4856e66b9657a83b6e373df008d0