Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 04:09
Behavioral task
behavioral1
Sample
76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe
Resource
win10v2004-20220901-en
General
-
Target
76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe
-
Size
267KB
-
MD5
4a403aedeb9ca02f9f7aba6923161e60
-
SHA1
cf2a4032ed5e7c141467b8b6c8b915de75309633
-
SHA256
76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd
-
SHA512
3706b48ed7bd58402ded18e55b64a81404831e538e55b943cc31b30d5a50e57ba9e4f09af571668bf88efada49b3e07f79a6376adfb4dc43a8035f66e1cbdce2
-
SSDEEP
6144:XbfO3SlNyTkyhlx0kRujRYO4VYAtHJ3DFLjxIE++/gAxcbibMoS2:LfIST8kk0kMlCPTvXxKXoS2
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 1924 winlogon.exe 3572 winlogon.exe 2884 winlogon.exe -
resource yara_rule upx behavioral2/memory/5020-134-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral2/files/0x0003000000022e30-139.dat upx behavioral2/files/0x0003000000022e30-140.dat upx behavioral2/memory/5020-141-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral2/memory/3572-145-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/files/0x0003000000022e30-146.dat upx behavioral2/memory/3572-148-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/3572-149-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/1924-153-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral2/memory/2884-154-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3572-155-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/files/0x0003000000022e30-157.dat upx behavioral2/memory/1924-163-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral2/memory/2884-161-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2884-159-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2884-172-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3572-173-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1924 set thread context of 3572 1924 winlogon.exe 88 PID 1924 set thread context of 2884 1924 winlogon.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 4560 reg.exe 2420 reg.exe 4816 reg.exe 692 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 3572 winlogon.exe Token: SeCreateTokenPrivilege 3572 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 3572 winlogon.exe Token: SeLockMemoryPrivilege 3572 winlogon.exe Token: SeIncreaseQuotaPrivilege 3572 winlogon.exe Token: SeMachineAccountPrivilege 3572 winlogon.exe Token: SeTcbPrivilege 3572 winlogon.exe Token: SeSecurityPrivilege 3572 winlogon.exe Token: SeTakeOwnershipPrivilege 3572 winlogon.exe Token: SeLoadDriverPrivilege 3572 winlogon.exe Token: SeSystemProfilePrivilege 3572 winlogon.exe Token: SeSystemtimePrivilege 3572 winlogon.exe Token: SeProfSingleProcessPrivilege 3572 winlogon.exe Token: SeIncBasePriorityPrivilege 3572 winlogon.exe Token: SeCreatePagefilePrivilege 3572 winlogon.exe Token: SeCreatePermanentPrivilege 3572 winlogon.exe Token: SeBackupPrivilege 3572 winlogon.exe Token: SeRestorePrivilege 3572 winlogon.exe Token: SeShutdownPrivilege 3572 winlogon.exe Token: SeDebugPrivilege 3572 winlogon.exe Token: SeAuditPrivilege 3572 winlogon.exe Token: SeSystemEnvironmentPrivilege 3572 winlogon.exe Token: SeChangeNotifyPrivilege 3572 winlogon.exe Token: SeRemoteShutdownPrivilege 3572 winlogon.exe Token: SeUndockPrivilege 3572 winlogon.exe Token: SeSyncAgentPrivilege 3572 winlogon.exe Token: SeEnableDelegationPrivilege 3572 winlogon.exe Token: SeManageVolumePrivilege 3572 winlogon.exe Token: SeImpersonatePrivilege 3572 winlogon.exe Token: SeCreateGlobalPrivilege 3572 winlogon.exe Token: 31 3572 winlogon.exe Token: 32 3572 winlogon.exe Token: 33 3572 winlogon.exe Token: 34 3572 winlogon.exe Token: 35 3572 winlogon.exe Token: SeDebugPrivilege 2884 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 1924 winlogon.exe 3572 winlogon.exe 3572 winlogon.exe 2884 winlogon.exe 3572 winlogon.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4940 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 83 PID 5020 wrote to memory of 4940 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 83 PID 5020 wrote to memory of 4940 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 83 PID 4940 wrote to memory of 2240 4940 cmd.exe 86 PID 4940 wrote to memory of 2240 4940 cmd.exe 86 PID 4940 wrote to memory of 2240 4940 cmd.exe 86 PID 5020 wrote to memory of 1924 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 87 PID 5020 wrote to memory of 1924 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 87 PID 5020 wrote to memory of 1924 5020 76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe 87 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 3572 1924 winlogon.exe 88 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 1924 wrote to memory of 2884 1924 winlogon.exe 89 PID 3572 wrote to memory of 4636 3572 winlogon.exe 90 PID 3572 wrote to memory of 4636 3572 winlogon.exe 90 PID 3572 wrote to memory of 4636 3572 winlogon.exe 90 PID 3572 wrote to memory of 5096 3572 winlogon.exe 91 PID 3572 wrote to memory of 5096 3572 winlogon.exe 91 PID 3572 wrote to memory of 5096 3572 winlogon.exe 91 PID 3572 wrote to memory of 4512 3572 winlogon.exe 92 PID 3572 wrote to memory of 4512 3572 winlogon.exe 92 PID 3572 wrote to memory of 4512 3572 winlogon.exe 92 PID 3572 wrote to memory of 3088 3572 winlogon.exe 96 PID 3572 wrote to memory of 3088 3572 winlogon.exe 96 PID 3572 wrote to memory of 3088 3572 winlogon.exe 96 PID 4636 wrote to memory of 4560 4636 cmd.exe 98 PID 4636 wrote to memory of 4560 4636 cmd.exe 98 PID 4636 wrote to memory of 4560 4636 cmd.exe 98 PID 4512 wrote to memory of 4816 4512 cmd.exe 100 PID 4512 wrote to memory of 4816 4512 cmd.exe 100 PID 4512 wrote to memory of 4816 4512 cmd.exe 100 PID 3088 wrote to memory of 2420 3088 cmd.exe 99 PID 3088 wrote to memory of 2420 3088 cmd.exe 99 PID 3088 wrote to memory of 2420 3088 cmd.exe 99 PID 5096 wrote to memory of 692 5096 cmd.exe 101 PID 5096 wrote to memory of 692 5096 cmd.exe 101 PID 5096 wrote to memory of 692 5096 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe"C:\Users\Admin\AppData\Local\Temp\76b17a0ee47091052bbe9ba3a0ec780c54c927b7f7c6dc5995d3631e7b973afd.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MHVQy.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f3⤵
- Adds Run key to start application
PID:2240
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Roaming\winlogon.exewinlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:4816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2420
-
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD54da6717f2c70f4bd32ad33a227a2ff47
SHA13d7f7159e1f695bd469287d1ad4ffa0841b407a8
SHA256a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07
SHA5126765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df
-
Filesize
267KB
MD5109020c53570bf56b0c032b9daf26ff9
SHA10cd525d4f4b6c8686871a300cc90ff7086d9d5f2
SHA2565e5f82e0ecd437008cf56f002a008786066b15996e4646efc916488d7ca766c1
SHA5125c4f4038fb4d34fbd7a73e0253d395abcab7bd0f53701ba5b7363b6f1e354e9b14d42e0ed606fd23330928f9ee0905b42b04c31208d6172340f02da38b119b21
-
Filesize
267KB
MD5109020c53570bf56b0c032b9daf26ff9
SHA10cd525d4f4b6c8686871a300cc90ff7086d9d5f2
SHA2565e5f82e0ecd437008cf56f002a008786066b15996e4646efc916488d7ca766c1
SHA5125c4f4038fb4d34fbd7a73e0253d395abcab7bd0f53701ba5b7363b6f1e354e9b14d42e0ed606fd23330928f9ee0905b42b04c31208d6172340f02da38b119b21
-
Filesize
267KB
MD5109020c53570bf56b0c032b9daf26ff9
SHA10cd525d4f4b6c8686871a300cc90ff7086d9d5f2
SHA2565e5f82e0ecd437008cf56f002a008786066b15996e4646efc916488d7ca766c1
SHA5125c4f4038fb4d34fbd7a73e0253d395abcab7bd0f53701ba5b7363b6f1e354e9b14d42e0ed606fd23330928f9ee0905b42b04c31208d6172340f02da38b119b21
-
Filesize
267KB
MD5109020c53570bf56b0c032b9daf26ff9
SHA10cd525d4f4b6c8686871a300cc90ff7086d9d5f2
SHA2565e5f82e0ecd437008cf56f002a008786066b15996e4646efc916488d7ca766c1
SHA5125c4f4038fb4d34fbd7a73e0253d395abcab7bd0f53701ba5b7363b6f1e354e9b14d42e0ed606fd23330928f9ee0905b42b04c31208d6172340f02da38b119b21