Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

89cc0118e8...eb.exe

windows7-x64

8

89cc0118e8...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    82s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb.exe

  • Size

    564KB

  • MD5

    83289a0e448e6c43d4ee5984524525e8

  • SHA1

    472e1dac4ff9be110c040a5c76a72e12929ec37a

  • SHA256

    89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb

  • SHA512

    777b7aad35a53b544237ffd6c84e059069e32fc0dbdb815dbbe5c10eefc04b0f5b9ff9cd9460478ec2e2e1d50e9d952a3757e8abc99d40090c01416d6f117000

  • SSDEEP

    12288:u+MDtCi7NFlZnNqZ9xGrLpZ0ZHEqtgb0Uq:utplNFgxG5eZngb0p

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 7 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb.exe
    "C:\Users\Admin\AppData\Local\Temp\89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"
        3⤵
          PID:1940
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\1.vbs"
          3⤵
            PID:984
        • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1480
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1124
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
            3⤵
              PID:1196

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          Filesize

          467KB

          MD5

          74869a0346ab36bbba85022612505121

          SHA1

          2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

          SHA256

          6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

          SHA512

          723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GYZMR1GK.txt
          Filesize

          608B

          MD5

          f8ea11cc43d9ff1527f1260666eb8bd4

          SHA1

          1998fbe5bcb87a10f672f28dbf84bc7eaf2bb816

          SHA256

          9cb79ebc6773ba8de48975d55b825e49048bcd3e2e3dd646da97d099c2b579f0

          SHA512

          e973970648650133c6261e1a4a9a9cd3efcb4daeb63fcccfa5f6412173b35c2781f27d6ea895e03097e9a7f2c21b2bde425334258e4c80a5ab1f37a618fd39ba

          Download Submit

        • C:\newsetup.vbs
          Filesize

          631B

          MD5

          5e2c0c26e344eeae4304c9bb561ea89b

          SHA1

          4664f9d0f582ab586ab197515aa45499eb18db41

          SHA256

          f74ed58e1ff45165abf943ff0364fff8e5d873b9051ccba0da940399fbd8aac3

          SHA512

          4aa5f6d5c35160470f99808dab9a68f826e726eae0b7f536e71665b978d72502faf971c4f9f2a9a792b3aca04736c9c97d633da7b34b50dbd3831dcb67284d97

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile1.exe
          Filesize

          467KB

          MD5

          74869a0346ab36bbba85022612505121

          SHA1

          2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

          SHA256

          6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

          SHA512

          723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nbfile1.exe
          Filesize

          467KB

          MD5

          74869a0346ab36bbba85022612505121

          SHA1

          2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

          SHA256

          6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

          SHA512

          723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

          Download Submit

        • memory/304-58-0x0000000076121000-0x0000000076123000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1572-67-0x0000000001D20000-0x0000000001DAA000-memory.dmp

          Filesize

          552KB

          Download

        • memory/1972-68-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/1972-77-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download