Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
06/11/2022, 04:29
General
-
Target
6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
-
Size
52KB
-
MD5
38fad30c6ee239246741b4991d8d1720
-
SHA1
b2da0d90a56e3ce0508d34b882c6937e230e3edc
-
SHA256
6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c
-
SHA512
5401f6acb1a41a97cd0561fba8916650df2ad4ec9491323870a6642bf41717ed7365ea0313b1b93273a1eaf6e13bb0402b525f723f761abf2a5db66d20d7f710
-
SSDEEP
768:EclW/lMFggAKwU0DN1C0wlfAenhODYaG426VmkblAYG3iqKMP65PuMPI2hTTToT:tWN/gAKqfCmQhOp2Yb9wbPCP5QqTToT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 24 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 64 IoCs
-
Runs .reg file with regedit 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe"C:\Users\Admin\AppData\Local\Temp\6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\jg\indexOlds.vbe" 02⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\SetWindowsIndex.reg3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\ShowIeLinkIe6.reg3⤵
- Modifies Internet Explorer settings
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\ShowIeLinkIe7.reg3⤵
- Modifies Internet Explorer settings
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internt Explorer.llnk" /e /c /r Administrators3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internt Explorer.llnk" /e /c /r Administrator3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internt Explorer.llnk" /e /c /r users3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internt Explorer.llnk" /e /c /r everyone3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internt Explorer.llnk" /e /c /r system3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internt Explorer.llnk" /e /c /r user3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internt Explorer.llnk" /e /c /r Administrators3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internt Explorer.llnk" /e /c /r Administrator3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internt Explorer.llnk" /e /c /r users3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internt Explorer.llnk" /e /c /r system3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internt Explorer.llnk" /e /c /r everyone3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internt Explorer.llnk" /e /c /r user3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internt Explorer.llnk" /e /c /r Administrators3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internt Explorer.llnk" /e /c /r Administrator3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internt Explorer.llnk" /e /c /r users3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internt Explorer.llnk" /e /c /r system3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internt Explorer.llnk" /e /c /r everyone3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internt Explorer.llnk" /e /c /r user3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï.Tao" /e /c /r Administrators3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï.Tao" /e /c /r Administrator3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï.Tao" /e /c /r users3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï.Tao" /e /c /r system3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï.Tao" /e /c /r everyone3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï.Tao" /e /c /r user3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Mozilla Firefox.fox" /e /c /r Administrators3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Mozilla Firefox.fox" /e /c /r Administrator3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Mozilla Firefox.fox" /e /c /r users3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Mozilla Firefox.fox" /e /c /r system3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Mozilla Firefox.fox" /e /c /r everyone3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Mozilla Firefox.fox" /e /c /r user3⤵
-
-
-
C:\Windows\qgln\smss.exeC:\Windows\qgln\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "baidu" /d "c:\windows\qgln\smss.exe " /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files\axpct\ktaij.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\reg.reg2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\reg.reg3⤵
- Installs/modifies Browser Helper Object
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\WindowsMy.reg2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\WindowsMy.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\WScript.ExeWScript.Exe C:\Windows\del.tmp.bho.bho.bho.vbs2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD53828594d73900c5c5358e17e28ac21b1
SHA1df78ecd976d828c53332184df37cd8876dbed1a2
SHA256d038403782ece2e16cd79f8f4a33df35558ce23a885d126094a377b4c94d8925
SHA5125858691cbf5e7ca95687bed6e75afa65d55ec18e193528a7b997febbba0a8038cde0036ec45447bc02bff4fce8988cea11ef9f9ef759c84e82f5d9af02db5499
-
Filesize
28KB
MD53828594d73900c5c5358e17e28ac21b1
SHA1df78ecd976d828c53332184df37cd8876dbed1a2
SHA256d038403782ece2e16cd79f8f4a33df35558ce23a885d126094a377b4c94d8925
SHA5125858691cbf5e7ca95687bed6e75afa65d55ec18e193528a7b997febbba0a8038cde0036ec45447bc02bff4fce8988cea11ef9f9ef759c84e82f5d9af02db5499
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
285B
MD5ab0a0848ec0670b7d47a5c6b80e6c4d5
SHA16ee2a01efd891cbdbceaef65730cf64aa8f87e2f
SHA256855d2a8ee25b33026cb20c1b878d9c17b832db1f33dc3ae05767082d46cdb39d
SHA5123bc7b8ee02942988bc503626e4b1817dbcb0a8b9bb14860bf8f38785cf86b6e40430c7e493a79a79335bb949823521627f7c6446e2139f649226b386551594c5
-
Filesize
231KB
MD52e6cb75b2e684c2b9dbc8be03852c184
SHA15b7aecd81cbd01f18718a2e0babffce726df16ad
SHA25646a17ffc7ea47093235473d7bac2460e34947ffbc695c5e5c6503ae31e145801
SHA512d1ad051b093997ffe05db59d4e46a12f270619b43494a75709f4dfd32062a26f3938f76af3ace8fbeea85e61b8188ecafd600324127f4169035448133250a48e
-
Filesize
143B
MD526132fb9275279ed2e0be0291b3fbaac
SHA1a52d4e46a22319d2f0faffada1d68c184240d1df
SHA2563b3e7d76d7245baaa7e6aaa8f1a760f67181cc5a3646e26f21489aa820ec6bc2
SHA512e4001c9f3e9e0f7df99e4b0c089e84385344c08d2cb9f5147cb957b1533e6f0f0a7381b017e922b7b3edd122653e40ba2c0d409b71f1e7401469fc2b90b74f6e
-
Filesize
7KB
MD54f69fa82c34c91514da21a5933644af8
SHA1e131f57f41ce95b46195d460852718b83517579a
SHA2567cd8b741bfaee5cd14779b69d71b362aac4c928097c6b4af8ce0ce16bde52a46
SHA512276588f960d28023febd87873c7852f401ab6ebfb3d90bf8b21b1998949d8ab00badb42d1a05934587aa6b4ad0ab06a3d649dcdb70f384ca70339049243463c4
-
Filesize
9KB
MD5dbd46bf2e72f6dfbb21295f4e3066d47
SHA1cdd6ca2f6455c1e528c40a520bcdb8669df8f548
SHA25671927f4f034db038385346e34209ad069139f54d73bae34bfaf4f29b7010fc6b
SHA512ad013387a0c7608375b7a3c5fdb27f0d9e79b051d84b1ee9221346499f386d30473b5e2727f6a4e8a8122cf8ac2d473a5ce5e368e62da09441ed48e5c088bd11
-
Filesize
1KB
MD5958217370aa43a176700027f14d8620d
SHA1301edce9b46a9b6d67378b83ef4c98c280c32e3e
SHA256d0f35efe4fda41b828ecfb10b17673d2b2a972476dea85204e45a4b9edda055f
SHA512283048c76f0b2eabcc69764dde29c75228f65630feb65df27379153b454dbf240dee2f967cb722904b3b570ea5d5570096d5320745522b4ccff86e6cc2dad5a8
-
Filesize
474B
MD549083dbce7187c5336d66b27117c2d50
SHA14c80cbf0199569526058280b8de371077676e3fe
SHA25654bc23c50fdd5f6096cd8199f8ced0caad7c4cf8b09a0e201f8961dcb75255a8
SHA512d750fbb708a8f72000d553aba01d444ce002cda9fdbed426c54ee6ce4a37863a2992af23df073d704fa253709ac9279880faacb401564b0e059ab1ec5a3cddcc
-
Filesize
231KB
MD55c2024a03bc2db942b729cf4d631ee43
SHA1cad97d69addfef893f4302dfa741e7aee60d0058
SHA25626b870e320dff2606108635af51212ee4f61f442e6aea9998b74d1036efb7db1
SHA512159d576653aaa442581295f7fc6a612f98b66ea2c487806363e35dd2c78425a8aac215b77fa5bbc2233e2c06622c4d576d2603ca4ad1866eff137916228af681
-
Filesize
64KB
MD5cbac52bb2b9e20b24ef7c47d7e9a4fa4
SHA117f20b8a479167e988a1a71ff05e9caf09a5ffc8
SHA256390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa
SHA512d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5
-
Filesize
64KB
MD5cbac52bb2b9e20b24ef7c47d7e9a4fa4
SHA117f20b8a479167e988a1a71ff05e9caf09a5ffc8
SHA256390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa
SHA512d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5
-
Filesize
185B
MD5e306a0be95a54a6455e7ed15466d5d81
SHA16cb2f94dee7cf4fefcf3b80f311e70fed747e2fd
SHA256685f6bbe7c8e99402adaf80dcde15110320d49ddf9c4c5d457a6a5601381b7a2
SHA51235c36e4f01803d4831939fbeae3566b9e58bf499bfe620a639b11da22b9892d7fa2db65f1cba6a7ffbc2f7aec296f9f74767e96c6585cadf5e347d0613dd23d5
-
Filesize
228KB
-
Filesize
228KB