Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/10/2022, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
274KB
-
MD5
3745a1fe4166a96e06729c67fd1469c7
-
SHA1
0bef21b140c023b1158ba5d90f74fb761f1c573b
-
SHA256
e4a8d78909b8d84fcb3d01b91ddeab26615148da704621a3635ac869c9d5dcaf
-
SHA512
0f8800a60cc66a64b9c14421c60b96c416e73612542f64b1a96758514b6f45552c68ae5a4f64ea7eee37298bf9cc3cf1da1ec0dbcc332ff4942b137f416654cc
-
SSDEEP
6144:PweEU2uCgUVrQSDux93/mMvthm7pp7jsSLWVaKsTdDfYJfTd:z2uCg69Dux9Pmehm7pp/sSaVMZYJfTd
Malware Config
Extracted
formbook
axe3
nV63ydJMXMf7memspIpnnVLl3Q==
uJ50rs5Y/80AqT79guHh
FcsTFQ1xekTgcal8G0P2ZTQ=
uLWWVJP++ID3dkoB8g==
YyoybGF5Fsa/UH8=
Tk4htwkBBfM5ZA==
QgJ8vN9f+uCdsD79guHh
wmjC9UuSBGyTrY5PAX9t1A==
Sw7JEwOKl576ndxw/A==
BOqs09Ikjej1BN98ZYtVfSi5xQ==
YA5cbH3/4wVAYg==
fRWIvatAXM3+t0X9guHh
FAbZXq/jFuaEq2YCwQh3b2oE
STL+RDTA652/tD/9guHh
zgLNcuX32aFB
WmgwW1UCJ/9Nc0ofkIhVyQ==
jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU
JCoawiBkwAkeJOehkNXRCYnj3A==
WQDFZvang91P
zGrJ4CA2pAhR
QPRTjvEmeNHJHLw4
hEsOq/9JLoNbN7xMFR/pVZbo3A==
v8ye4m6wAfCjtD/9guHh
BBLwmMMaoKz+DbU6
sjgLlNkZ9mir2p0w
RA94vAgqczVm8w+fAX9t1A==
Jc7S9gc/CMtY
d3Q3djg/CMtY
VhqBnq4x3sYMs0L9guHh
n/v36+MW2b27KCv99g==
Vi71NEakLqvP3MqenbNiUC4Ag77W
q2PO39wujdOnAuxj/A==
ZR3lmukghPyiLio14Qr3UzQ=
Zl6HrWMq4wVAYg==
cSLhluP/Ofkn0vf86RH8
9eSoKHzSznZ2E2I=
VS76OTqEeTTUTf3yG0P2ZTQ=
SvRzutQ0LP2xOD65OIlNvcGjf7wR95Ls
k35uD09p0eN9KnU=
lFirx9M0pQpUg0jpvjMpH5S0UrTP
ajKdwrz9WE/8A1dLTCw=
CaL/NoESHca/R3Y0GCQ=
Sghzwgx+c9nHatnaLXxVyQ==
UwF0yGa7uiI=
fjKKobYsUVNpBGc=
OScsLPAH3p9A
kVEWzgFRqnZTJ5QB4w==
wpZxCWOk7NaBlkkWI2dWfSi5xQ==
ijqu3+QWAg603ptOFAq1qfMEc1sXIr/5
zZ4ewkBx7qdG
qI9yt8kQwDhe/2/igMWe3CgL
ANUmYpsVtpbSTJViQ3TjXDY=
nzb3pvZA80MQWk3SbYjyUi8=
HAbPWI0YyvXqYJgf4EEpi3xdT6B13J7x
olY01h1WKvkhBy/y7Q==
dGJK/EiDz5UuvM1W9Q==
em4mQ1fciHK2cC3u/EdFfSi5xQ==
pxC52NcfWmjL+qUw
j3o1VEaAW6jAS1tkRjs=
UAK5/hRmtnmXLXQbf+3sTCs=
v2yzvsMvthMyTA7Gq50ZfSi5xQ==
ehryofUgZVKUMZtJ2vCggmkD
B7kHDAhZxHzJHLw4
nYxx+02TYE35jH5JXYU0fLuPYDw=
succes-digitalmlm.com
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1748 psyfho.exe 588 psyfho.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation psyfho.exe -
Loads dropped DLL 4 IoCs
pid Process 1536 tmp.exe 1536 tmp.exe 1748 psyfho.exe 1112 wininit.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1748 set thread context of 588 1748 psyfho.exe 28 PID 588 set thread context of 1220 588 psyfho.exe 7 PID 1112 set thread context of 1220 1112 wininit.exe 7 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 588 psyfho.exe 588 psyfho.exe 588 psyfho.exe 588 psyfho.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1748 psyfho.exe 588 psyfho.exe 588 psyfho.exe 588 psyfho.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 588 psyfho.exe Token: SeDebugPrivilege 1112 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1536 wrote to memory of 1748 1536 tmp.exe 26 PID 1536 wrote to memory of 1748 1536 tmp.exe 26 PID 1536 wrote to memory of 1748 1536 tmp.exe 26 PID 1536 wrote to memory of 1748 1536 tmp.exe 26 PID 1748 wrote to memory of 588 1748 psyfho.exe 28 PID 1748 wrote to memory of 588 1748 psyfho.exe 28 PID 1748 wrote to memory of 588 1748 psyfho.exe 28 PID 1748 wrote to memory of 588 1748 psyfho.exe 28 PID 1748 wrote to memory of 588 1748 psyfho.exe 28 PID 1220 wrote to memory of 1112 1220 Explorer.EXE 29 PID 1220 wrote to memory of 1112 1220 Explorer.EXE 29 PID 1220 wrote to memory of 1112 1220 Explorer.EXE 29 PID 1220 wrote to memory of 1112 1220 Explorer.EXE 29 PID 1112 wrote to memory of 1828 1112 wininit.exe 32 PID 1112 wrote to memory of 1828 1112 wininit.exe 32 PID 1112 wrote to memory of 1828 1112 wininit.exe 32 PID 1112 wrote to memory of 1828 1112 wininit.exe 32 PID 1112 wrote to memory of 1828 1112 wininit.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\psyfho.exe"C:\Users\Admin\AppData\Local\Temp\psyfho.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\psyfho.exe"C:\Users\Admin\AppData\Local\Temp\psyfho.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
-
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1828
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5ea21e5d81767a314ccb0ba7becaf765f
SHA10630995a565e43c9c0b00e1a6365ee08e9c93019
SHA2565e41e235f96c3bc784d1d5959752e8f5184366c7c265de1bc76279ad2d2e96c4
SHA5124e308c7812813e6a1aefe7a1e64ca495be0f38824989bc07796375487000ace87c71130bf40fd372a06e22c0a1e14d511bec0f1e46119445cc7385e5ffae2f99
-
Filesize
5KB
MD58cdd489fb795ba76d37af601d3e1bc5c
SHA10db9fa2de0de0d468d26636ab21e4f6e1ba6457d
SHA25691462d813f240b66b586ce6bca0ae1a3d7acb6f4e8a9c787b3b76f5afdf8e72c
SHA512c18686766a4c1fbdf5d5ac92069832de0b540d046d695d59b6df0b2fd917885f737a0572443e224206780d3d5c9accf7923aea34404bb3689c150104a571ea1e
-
Filesize
77KB
MD56e99b51b6533fe7a1ed56fa1ea553b82
SHA1fb422cda0e04c577528849b4400d8b1ff44e9589
SHA2565dbe88158dd2f1913f67b98a9505c38e370846583cadcb668c759a4b60e5cb48
SHA512f9af2c0bc3b420a04436436e1ba6816882e6204a242b58e519b3dfa8c272572e247c858fb108e4fab5c5acb355d17db49ecfe759c6c5db5de674314b28301b0c
-
Filesize
77KB
MD56e99b51b6533fe7a1ed56fa1ea553b82
SHA1fb422cda0e04c577528849b4400d8b1ff44e9589
SHA2565dbe88158dd2f1913f67b98a9505c38e370846583cadcb668c759a4b60e5cb48
SHA512f9af2c0bc3b420a04436436e1ba6816882e6204a242b58e519b3dfa8c272572e247c858fb108e4fab5c5acb355d17db49ecfe759c6c5db5de674314b28301b0c
-
Filesize
77KB
MD56e99b51b6533fe7a1ed56fa1ea553b82
SHA1fb422cda0e04c577528849b4400d8b1ff44e9589
SHA2565dbe88158dd2f1913f67b98a9505c38e370846583cadcb668c759a4b60e5cb48
SHA512f9af2c0bc3b420a04436436e1ba6816882e6204a242b58e519b3dfa8c272572e247c858fb108e4fab5c5acb355d17db49ecfe759c6c5db5de674314b28301b0c
-
Filesize
77KB
MD56e99b51b6533fe7a1ed56fa1ea553b82
SHA1fb422cda0e04c577528849b4400d8b1ff44e9589
SHA2565dbe88158dd2f1913f67b98a9505c38e370846583cadcb668c759a4b60e5cb48
SHA512f9af2c0bc3b420a04436436e1ba6816882e6204a242b58e519b3dfa8c272572e247c858fb108e4fab5c5acb355d17db49ecfe759c6c5db5de674314b28301b0c
-
Filesize
77KB
MD56e99b51b6533fe7a1ed56fa1ea553b82
SHA1fb422cda0e04c577528849b4400d8b1ff44e9589
SHA2565dbe88158dd2f1913f67b98a9505c38e370846583cadcb668c759a4b60e5cb48
SHA512f9af2c0bc3b420a04436436e1ba6816882e6204a242b58e519b3dfa8c272572e247c858fb108e4fab5c5acb355d17db49ecfe759c6c5db5de674314b28301b0c
-
Filesize
77KB
MD56e99b51b6533fe7a1ed56fa1ea553b82
SHA1fb422cda0e04c577528849b4400d8b1ff44e9589
SHA2565dbe88158dd2f1913f67b98a9505c38e370846583cadcb668c759a4b60e5cb48
SHA512f9af2c0bc3b420a04436436e1ba6816882e6204a242b58e519b3dfa8c272572e247c858fb108e4fab5c5acb355d17db49ecfe759c6c5db5de674314b28301b0c
-
Filesize
837KB
MD5e1b58e0aa1b377a1d0e940660ad1ace1
SHA15afc7291b26855b1252b26381ebc85ed3cca218f
SHA2561b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777
SHA5129ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2