Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
Resource
win10v2004-20220901-en
General
-
Target
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
-
Size
176KB
-
MD5
0d90878e9045e5be441a9f3d20f29b6e
-
SHA1
864bf947a5b3b1a7e5f9b2215199ef21bb600e2d
-
SHA256
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662
-
SHA512
cc56bcd683dd444192941b7ac3d74fba0e3dfb689b6c761663b6afae6b70d290ea7b301fb9da1b4e7ef2d006c8dae0d4ee7f605764ba909b52500e0ae2ebe595
-
SSDEEP
3072:Dhh8C/nROzg7iiwJvXZETcbLn67kLpyRurohZbsn4KhWNUzMzGV5/bBD3ynrul1y:Vh7YU7iiwJvXZETcbLn6YLProhZbsn47
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bihag.exe -
Executes dropped EXE 1 IoCs
pid Process 692 bihag.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /s" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /x" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /U" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /T" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /H" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /B" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /D" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /m" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /Y" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /j" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /b" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /J" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /d" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /n" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /z" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /v" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /R" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /t" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /K" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /X" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /q" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /Q" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /F" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /O" f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /E" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /V" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /p" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /e" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /h" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /N" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /S" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /w" bihag.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /a" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /u" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /c" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /i" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /y" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /W" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /Z" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /C" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /o" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /O" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /r" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /l" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /G" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /f" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /g" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /L" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /I" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /k" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /M" bihag.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bihag = "C:\\Users\\Admin\\bihag.exe /P" bihag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1780 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 1780 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe 692 bihag.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1780 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 692 bihag.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1780 wrote to memory of 692 1780 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 82 PID 1780 wrote to memory of 692 1780 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 82 PID 1780 wrote to memory of 692 1780 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe"C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\bihag.exe"C:\Users\Admin\bihag.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:692
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD55861d95915a08a7a10f30f053b47d639
SHA15860a3ef22a101d8f2cb1fc447ebf92d228957dc
SHA256dc3161501f52a554385bfdfb994f961c69ebac0343eaa27e95f2fb6fb4a85ce1
SHA51216d07836ab323fa69613873fb55e2f8f39e6fb72a997432e80a5d4f8a166e78cd2a5244d2a392b59a653b76314ea77385756ab05c54c62bce8949efbbce4dca0
-
Filesize
176KB
MD55861d95915a08a7a10f30f053b47d639
SHA15860a3ef22a101d8f2cb1fc447ebf92d228957dc
SHA256dc3161501f52a554385bfdfb994f961c69ebac0343eaa27e95f2fb6fb4a85ce1
SHA51216d07836ab323fa69613873fb55e2f8f39e6fb72a997432e80a5d4f8a166e78cd2a5244d2a392b59a653b76314ea77385756ab05c54c62bce8949efbbce4dca0