Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 20:00
Static task
static1
Behavioral task
behavioral1
Sample
8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe
Resource
win10v2004-20220812-en
General
-
Target
8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe
-
Size
352KB
-
MD5
006543effb858695f39ddc4522460500
-
SHA1
f412cd02efef2d83e774b13b13c4771a83f13e8d
-
SHA256
8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689
-
SHA512
9c0ba9ff79e059addf698b2e91a5f12855adc09a836c9e92fc4f564f4b55d57fd484f629d599e98f43c1ce3025147b0ee6372d815acbd3fa2f724607243a8cd6
-
SSDEEP
6144:FrvdwMXe0Ho9yCIqP2q+3MhWDIhuZ1qD70HWWWCWWW+/85/8LDg:Fjbez9yCI62lbgU/85/8L
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000a000000022f5f-134.dat aspack_v212_v242 behavioral2/files/0x000a000000022f5f-135.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4888 VUpNzsbl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation VUpNzsbl.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VUpNzsbl.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE VUpNzsbl.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe VUpNzsbl.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE VUpNzsbl.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE VUpNzsbl.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe VUpNzsbl.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE VUpNzsbl.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe VUpNzsbl.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe VUpNzsbl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe VUpNzsbl.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe VUpNzsbl.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe VUpNzsbl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1200 8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe 1200 8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe 1200 8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1200 wrote to memory of 4888 1200 8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe 83 PID 1200 wrote to memory of 4888 1200 8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe 83 PID 1200 wrote to memory of 4888 1200 8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe 83 PID 4888 wrote to memory of 2364 4888 VUpNzsbl.exe 91 PID 4888 wrote to memory of 2364 4888 VUpNzsbl.exe 91 PID 4888 wrote to memory of 2364 4888 VUpNzsbl.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe"C:\Users\Admin\AppData\Local\Temp\8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\VUpNzsbl.exeC:\Users\Admin\AppData\Local\Temp\VUpNzsbl.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55985bd2.bat" "3⤵PID:2364
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191B
MD5761d1a5d4a6f2d58352eadb14da390a4
SHA13724cbcc30c4646de53ff14ff61e4308d925d4f5
SHA256478a1176e300d442bac65e5312a894ea3285eccbfc2163631d7171461610304a
SHA5124789a07a1ad20594b43a42eceab19286f0f6db50ae896c8ebb4c47414d47a96dc6ad7b6facb4c9517c2f70fedcb1df4d9e246641384ea6a55eaa822c897217d1
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e