Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe
Resource
win10v2004-20220812-en
General
-
Target
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe
-
Size
323KB
-
MD5
060bbbcd3963eb24d07ca1de2f85c670
-
SHA1
c69df2e3b28fc02926c26e25ccef95c8543886db
-
SHA256
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
-
SHA512
a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
SSDEEP
6144:MDRgvR2pZRhXQLOzSE8x2OZZGDvMOjWkfJBpybuqq0K5Mxn:MDRTXjXQ6zSE8xnavjKkfJ7yFq0K5yn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\Windows Server\\wserver.exe\"" wserver.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wserver.exe -
Executes dropped EXE 2 IoCs
pid Process 4152 wserver.exe 2024 wserver.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wserver.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wserver.exe\DisableExceptionChainValidation wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe wserver.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windows Server\ 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe File created C:\Windows\SysWOW64\Windows Server\wserver.exe 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe File opened for modification C:\Windows\SysWOW64\Windows Server\wserver.exe 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4960 set thread context of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4152 set thread context of 2024 4152 wserver.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 4152 wserver.exe 4152 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe 2024 wserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2024 wserver.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4736 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe Token: SeDebugPrivilege 4152 wserver.exe Token: SeDebugPrivilege 2024 wserver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2024 wserver.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4960 wrote to memory of 4736 4960 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 80 PID 4736 wrote to memory of 4152 4736 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 81 PID 4736 wrote to memory of 4152 4736 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 81 PID 4736 wrote to memory of 4152 4736 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 81 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82 PID 4152 wrote to memory of 2024 4152 wserver.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Windows Server\wserver.exe"C:\Windows\system32\Windows Server\wserver.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Windows Server\wserver.exe"C:\Windows\SysWOW64\Windows Server\wserver.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e