Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21/10/2022, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe
Resource
win10v2004-20220812-en
General
-
Target
c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe
-
Size
104KB
-
MD5
579205770c7c333dc43ea71889fb5378
-
SHA1
8e3363e82f88cb394568f52c9353427b9c440660
-
SHA256
c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7
-
SHA512
68bc8f13633ff663787ef659b82b960d36eafffbe82095f07bd8daef01fccc7748a9328c8de8073c0748df858c235fcb50cb1cb0a8799611958399b73054e1f1
-
SSDEEP
1536:3n5ifEQHScK4msKerjwJ8AOsNNk2HJQNsM03i6EY5:35ifEQqRsKFvHKN/E5
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yiobii.exe -
Executes dropped EXE 1 IoCs
pid Process 1292 yiobii.exe -
Loads dropped DLL 2 IoCs
pid Process 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /m" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /h" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /r" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /p" yiobii.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /j" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /g" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /w" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /q" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /b" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /v" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /d" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /u" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /z" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /i" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /f" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /a" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /n" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /o" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /e" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /c" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /s" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /y" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /x" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /l" yiobii.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /h" c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /t" yiobii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiobii = "C:\\Users\\Admin\\yiobii.exe /k" yiobii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe 1292 yiobii.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 1292 yiobii.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 896 wrote to memory of 1292 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 27 PID 896 wrote to memory of 1292 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 27 PID 896 wrote to memory of 1292 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 27 PID 896 wrote to memory of 1292 896 c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe"C:\Users\Admin\AppData\Local\Temp\c42d8de1b800b29d2cc92d6e2fb06885487dd59a6a96f10a64a1c94fe7749dd7.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\yiobii.exe"C:\Users\Admin\yiobii.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1292
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5c8b5a7af8fa9e5274245cdba548973a7
SHA1d1a07213df0703070ff7e8be10f5ee3bbb215e31
SHA256291d61c08ddae87e18ffedbc5d09cdef1182041f5ee4960d7e8b5704e3698232
SHA512cd0c7417ede3a7646f0ea13fd57c841c8175152b83c279e6f141823db9e1e0979f9998fd04878edd357efe57e0cddd68ecc9c6743559b9c2a9c470653db2830e
-
Filesize
104KB
MD5c8b5a7af8fa9e5274245cdba548973a7
SHA1d1a07213df0703070ff7e8be10f5ee3bbb215e31
SHA256291d61c08ddae87e18ffedbc5d09cdef1182041f5ee4960d7e8b5704e3698232
SHA512cd0c7417ede3a7646f0ea13fd57c841c8175152b83c279e6f141823db9e1e0979f9998fd04878edd357efe57e0cddd68ecc9c6743559b9c2a9c470653db2830e
-
Filesize
104KB
MD5c8b5a7af8fa9e5274245cdba548973a7
SHA1d1a07213df0703070ff7e8be10f5ee3bbb215e31
SHA256291d61c08ddae87e18ffedbc5d09cdef1182041f5ee4960d7e8b5704e3698232
SHA512cd0c7417ede3a7646f0ea13fd57c841c8175152b83c279e6f141823db9e1e0979f9998fd04878edd357efe57e0cddd68ecc9c6743559b9c2a9c470653db2830e
-
Filesize
104KB
MD5c8b5a7af8fa9e5274245cdba548973a7
SHA1d1a07213df0703070ff7e8be10f5ee3bbb215e31
SHA256291d61c08ddae87e18ffedbc5d09cdef1182041f5ee4960d7e8b5704e3698232
SHA512cd0c7417ede3a7646f0ea13fd57c841c8175152b83c279e6f141823db9e1e0979f9998fd04878edd357efe57e0cddd68ecc9c6743559b9c2a9c470653db2830e