Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30/10/2022, 17:24
General
-
Target
1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3.exe
-
Size
1.2MB
-
MD5
822dd46ca0b5d2ca0bffece58e2a0bcd
-
SHA1
6ebfddd3db40b70cb81f952ed10455abcd2b0e02
-
SHA256
1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3
-
SHA512
23dc365ba77056027f8d387ff0ddfe38763c46b6c3dd647cd8b4fc8091bdfbd1671468f3afd8a6b1f24df2f1b50afd163b521cdabca25a359218797859ef6d83
-
SSDEEP
24576:3Sev5VtpRf4tFmM1Dcvj3E8FgXqQmX+KK:3SY3fO4suEHLmuKK
Malware Config
Signatures
-
Modifies security service 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Sets file execution options in registry 2 TTPs 29 IoCs
-
Sets file to hidden 1 TTPs 17 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry 2 TTPs 4 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 15 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 6 IoCs
-
Runs .reg file with regedit 3 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3.exe"C:\Users\Admin\AppData\Local\Temp\1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Documents and Settings\All Users\Application Data\baiducoma.bat""2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy *date.exe D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy *date.scr D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Documents and Settings\All Users\Application Data\baiducoma.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Documents and Settings\All Users\Application Data"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Common Files\Microsoft Shared\Web Folders"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "ekrn.exe safeboxTray.exe nod32krn.exe kwatch.exe shstat.exe Client.exe ashserv.exe" pid1.txt3⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete knlps3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "CCenter.exe services.exe 360tray.exe KVMonXP.kxp RSTray.exe RfwMain.exe 8date.exe" pid1.txt3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName" /v "ComputerName" /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v "ComputerName" /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v Hostname /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Micsofoffice1.exe "Microsoft\Micsofoffice1.exe" /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Micsofoffice2.rar "Microsoft\Micsofoffice2.rar" /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\sc.exeSC create Microsoftmanager binPath= "C:\Documents and Settings\All Users\Application Data\Microsoft\Micsofoffice1.exe" Start= auto displayname= "Microsoftnetwork gervice" type= own3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config Microsoftmanager start= auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeSC description Microsoftmanager "╬¬╣▄└φ║═╬¼╗ñ╘┌╝╞╦π╗·─┌NTFS┤┼┼╠╬─╝■╓«╝Σ╡─╧╡═│╩²╛▌┐Γ,╧√╧ó╢╙┴╨,╬─╝■╧╡═│╡╚╫╩╘┤╣▄└φ╞≈╡─╩┬╬±╠ß╣⌐╓º│╓.╜╧╡═░µ▒╛╡─▓┘╫≈╧╡═│╘≥▓╗╗ß╖ó╔·╒Γ╨⌐╩┬╬±.╚τ╣√╜√╙├┤╦╖■╬±,╚╬║╬╥└└╡┤╦╖■╬±╡─╞Σ╦√╖■╬±╜½╬▐╖¿╞⌠╢»."3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Microsoft\Micsofoffice2.rar"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Microsoft\Micsofoffice1.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s BaiDuhi.reg3⤵
- Modifies security service
- Modifies visiblity of hidden/system files in Explorer
- Sets service image path in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.SCR" /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.scr" D:\Windows╧╡═│╔∙╥⌠╬─╡╡▒╕╖▌╬─╝■╝╨date.SCR /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.scr" E:\╤█╛ª░╤╤╢║┼┤½╕°─π╡─╨─┴Θ╩╟┴φ╥╗╓╓┐╒╞°-╗╢╙¡╝╙╚δ░┘╢╚└╢╔½╙ε╓µ╛ⁿ═┼╫▄╚║║┼41061527\Windows▒ú╗ñ╬─╡╡▒╕╖▌╬─╝■╝╨date.SCR /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls E:\╤█╛ª░╤╤╢║┼┤½╕°─π╡─╨─┴Θ╩╟┴φ╥╗╓╓┐╒╞°-╗╢╙¡╝╙╚δ░┘╢╚└╢╔½╙ε╓µ╛ⁿ═┼╫▄╚║║┼41061527 /D GRXNNIIE3⤵
- Enumerates connected drives
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s D:\Windows╧╡═│╔∙╥⌠╬─╡╡▒╕╖▌╬─╝■╝╨date.SCR3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.scr"3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Windows\system32\Microsoft3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h Microsoft3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\SysWOW64\find.exefind /v ""3⤵
-
-
C:\Windows\SysWOW64\fsutil.exefsutil fsinfo drivetype Drives:3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c findstr /i "╥╞╢»" 200.txt3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /i "╥╞╢»" 200.txt4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c findstr /i "╥╞╢»" 200.txt3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /i "╥╞╢»" 200.txt4⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system32\ftpkyo.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Documents and Settings\All Users\Application Data\ftp.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system32\tftpkyo.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system32\netstatkyo.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system32\compmgmtkyo.msc3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\system32\sethc.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\netstatkyo.exenetstatkyo.exe -an3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\ftp.exe3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\ftpkyo.exe3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\tftp.exe3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\tftpkyo.exe3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s BaiDuhi.reg3⤵
- Modifies security service
- Modifies visiblity of hidden/system files in Explorer
- Sets service image path in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\GRXNNIIE.txt3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\BOOT.INI"3⤵
-
-
C:\Windows\SysWOW64\find.exefind /i "XP"3⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s Image.reg3⤵
- Sets file execution options in registry
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\date.txt3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Documents and Settings\All Users\alluserslog.ini"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc config Browser start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Documents and Settings\All Users\Application Data\Microsoft\chekip.vbs"3⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\net.exenet stop Browser /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Browser /y4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop lanmanworkstation /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanworkstation /y4⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y4⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Documents and Settings\All Users\Application Data\baiducoma.bat"3⤵
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51350b2336d9210a3e11333a81e3ea33a
SHA1c9ffa4332660e8821612640eb1cb7f9d717b68bf
SHA256652cc677a43547d6008c104196c5361d1c4fe259ff64dab501391632b30d4337
SHA512df8464c3a236d200c6da3cdbcaf98cfe10046b5477091569ccab45d80766204e287864ed62a572afd9772cf0eb33370bcf8e7a69eea1b2b68296163874741291
-
Filesize
2KB
MD5c615e428272dae1eaafb51e8300803a9
SHA1755c4f97eebc984a89bdc0e8c17afdf65e029e17
SHA256a0c056d8a0a610311f63bd26e4f63cad569d409589b9c6429da19fdf3af48b93
SHA51232fab45dc411a4f4f7690c472d4902f1fdfa6ac9e0f24f7fb88d7e709cb27b10d03547144c3dbb2f4b5085e3866a19df63d090a165999faec3cb89080f3dfeb9
-
Filesize
379B
MD5a28df3b71f64ee3dfea1b6312b65e37d
SHA14100772e2240129ad6eca9bc0c02737df4041445
SHA256db45839c2dc969d6c50153db13e8b95348ad9688ca25e4273cda769af3be0229
SHA5123ead0ceb33e977a17929e2b691c932173aa7d6288caf2baf124757f4fa271b63f7e914ad223afd9974ab524301a14d9ee36d469a1addc78c6bbfee050228b071
-
Filesize
24KB
MD5b5d266afb1cba8474f1e59b41561526e
SHA1588a88e72cfe2b3551f9852b7a2f6f19a102e708
SHA25624c1514acdd74dab641e49b56a4c9061d77696d83b7149eae958ec1e1dec961b
SHA512ad4558887f05ed1ed3f9bb70022fa4aee925d7707aed69a15fdd008471243af88b245fba6a68bdbf22ef05ccdf60f362883ce85c71077ba232413a7d6812c7d2
-
Filesize
110KB
MD5f04c119c159670c9271623454bec3254
SHA11f42aed72c659b75b9e5a2ff1e284c0649765c3c
SHA2562456bd374082d03520d844b922ad58ff1e3850c0dc0c3683c9c54d4f538f2c19
SHA5129d021717151da9ddfbe8fab555334402c5083b6be678683c180ed726d1de483390aa197473cefef21924cc80dc8fe9d680b1634393f03b72e0c38bbee45995bb
-
Filesize
41KB
MD59996103f8a650bdb3586c9aae1101912
SHA1e2e444f527dc7d20732bfec10055de916647565f
SHA25674e674254bda1a062eff7042db819ac71496d00e0e1854c6d3809163685ff687
SHA512dd2938965f0edac5006904b568a4d27cc47d2a21f8cee72dcc4744b4f74d830ea47e711f7690aa39942569915e3fc29dd12cd3fb310fd1395e999a002152a616
-
Filesize
26KB
MD532297bb17e6ec700d0fc869f9acaf561
SHA1f08d57dd80aeddd7645cbdf27e5af5edf99c1f46
SHA256986f524f38b973531002dceb17414bf8c691b60fb0ea2e4c53c3c7bd3f9ee54e
SHA512262f69525337c9a82c7e7b53889f30f9e5d5c1889c6f7b8295ffad8177d74c5e3dfd68f301cedaf648a4a3845bd765471d38d0ac1a9b9bd3fddf2f26ce8286a1
-
Filesize
26KB
MD532297bb17e6ec700d0fc869f9acaf561
SHA1f08d57dd80aeddd7645cbdf27e5af5edf99c1f46
SHA256986f524f38b973531002dceb17414bf8c691b60fb0ea2e4c53c3c7bd3f9ee54e
SHA512262f69525337c9a82c7e7b53889f30f9e5d5c1889c6f7b8295ffad8177d74c5e3dfd68f301cedaf648a4a3845bd765471d38d0ac1a9b9bd3fddf2f26ce8286a1
-
Filesize
26KB
MD532297bb17e6ec700d0fc869f9acaf561
SHA1f08d57dd80aeddd7645cbdf27e5af5edf99c1f46
SHA256986f524f38b973531002dceb17414bf8c691b60fb0ea2e4c53c3c7bd3f9ee54e
SHA512262f69525337c9a82c7e7b53889f30f9e5d5c1889c6f7b8295ffad8177d74c5e3dfd68f301cedaf648a4a3845bd765471d38d0ac1a9b9bd3fddf2f26ce8286a1
-
Filesize
8KB
-
Filesize
336KB
-
Filesize
12KB
-
Filesize
336KB
-
Filesize
1.2MB