Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe
Resource
win10v2004-20220901-en
General
-
Target
0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe
-
Size
139KB
-
MD5
a1a8f6c34af3ddeeb23ddbab1b8c9448
-
SHA1
c6c76a323a744b980976a46a6f6929e975391bb6
-
SHA256
0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e
-
SHA512
f2266ee842c2387d66ee5fa7d7aa0378f8de24afbd05fd7015d2de2fb444c3e3c3223f61f1e18d655a9c0459738464b87330bc652a6d919cc2949b56cbd7d726
-
SSDEEP
3072:/T+weJQEgCyX/nniZQZLOds8YU1OoJytpk:fI1gC+niZyqds8YI0E
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" naiyi.exe -
Executes dropped EXE 2 IoCs
pid Process 2984 naiyi.exe 1676 naiyi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /l" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /x" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /o" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /g" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /c" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /w" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /m" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /u" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /p" naiyi.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /n" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /z" naiyi.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /a" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /y" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /r" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /q" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /s" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /k" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /h" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /e" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /d" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /i" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /v" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /j" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /t" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /t" 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /b" naiyi.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naiyi = "C:\\Users\\Admin\\naiyi.exe /f" naiyi.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum naiyi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 naiyi.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\c\autorun.inf naiyi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3972 set thread context of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 2984 set thread context of 1676 2984 naiyi.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3884 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 3884 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe 1676 naiyi.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 3884 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 2984 naiyi.exe 1676 naiyi.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3972 wrote to memory of 3884 3972 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 82 PID 3884 wrote to memory of 2984 3884 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 83 PID 3884 wrote to memory of 2984 3884 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 83 PID 3884 wrote to memory of 2984 3884 0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe 83 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84 PID 2984 wrote to memory of 1676 2984 naiyi.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe"C:\Users\Admin\AppData\Local\Temp\0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\0831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e.exe742⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\naiyi.exe"C:\Users\Admin\naiyi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\naiyi.exe744⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5a1a8f6c34af3ddeeb23ddbab1b8c9448
SHA1c6c76a323a744b980976a46a6f6929e975391bb6
SHA2560831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e
SHA512f2266ee842c2387d66ee5fa7d7aa0378f8de24afbd05fd7015d2de2fb444c3e3c3223f61f1e18d655a9c0459738464b87330bc652a6d919cc2949b56cbd7d726
-
Filesize
139KB
MD5a1a8f6c34af3ddeeb23ddbab1b8c9448
SHA1c6c76a323a744b980976a46a6f6929e975391bb6
SHA2560831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e
SHA512f2266ee842c2387d66ee5fa7d7aa0378f8de24afbd05fd7015d2de2fb444c3e3c3223f61f1e18d655a9c0459738464b87330bc652a6d919cc2949b56cbd7d726
-
Filesize
139KB
MD5a1a8f6c34af3ddeeb23ddbab1b8c9448
SHA1c6c76a323a744b980976a46a6f6929e975391bb6
SHA2560831143154a34f6caec8309f1b8efb02b30ba03c113f372f68fe920cdf85f91e
SHA512f2266ee842c2387d66ee5fa7d7aa0378f8de24afbd05fd7015d2de2fb444c3e3c3223f61f1e18d655a9c0459738464b87330bc652a6d919cc2949b56cbd7d726