Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 15:14
Static task
static1
Behavioral task
behavioral1
Sample
ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe
Resource
win10v2004-20220812-en
General
-
Target
ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe
-
Size
354KB
-
MD5
1f04108924a073198369170e9ccec248
-
SHA1
bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c
-
SHA256
ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7
-
SHA512
a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851
-
SSDEEP
3072:7ToHR8L1KwK9f7UgV4qJMEG5qzxb251AEwRnEsScv3qug0z:7TEqL1u9TUgV5Rpzxb2nsnXh
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3060 Pviwil.exe 4808 Pviwil.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pviwil = "C:\\Users\\Admin\\AppData\\Roaming\\Pviwil.exe" ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 388 set thread context of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 3060 set thread context of 4808 3060 Pviwil.exe 83 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2197744830" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997956" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2202744939" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997956" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2202744939" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2197744830" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997956" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997956" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AE65B87B-69B7-11ED-89AC-E62BBF623C53} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375812289" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1824 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 1824 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4756 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4808 Pviwil.exe Token: SeDebugPrivilege 444 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4756 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4756 IEXPLORE.EXE 4756 IEXPLORE.EXE 444 IEXPLORE.EXE 444 IEXPLORE.EXE 444 IEXPLORE.EXE 444 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 388 wrote to memory of 1824 388 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 81 PID 1824 wrote to memory of 3060 1824 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 82 PID 1824 wrote to memory of 3060 1824 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 82 PID 1824 wrote to memory of 3060 1824 ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe 82 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 3060 wrote to memory of 4808 3060 Pviwil.exe 83 PID 4808 wrote to memory of 4860 4808 Pviwil.exe 84 PID 4808 wrote to memory of 4860 4808 Pviwil.exe 84 PID 4808 wrote to memory of 4860 4808 Pviwil.exe 84 PID 4860 wrote to memory of 4756 4860 iexplore.exe 85 PID 4860 wrote to memory of 4756 4860 iexplore.exe 85 PID 4756 wrote to memory of 444 4756 IEXPLORE.EXE 86 PID 4756 wrote to memory of 444 4756 IEXPLORE.EXE 86 PID 4756 wrote to memory of 444 4756 IEXPLORE.EXE 86 PID 4808 wrote to memory of 444 4808 Pviwil.exe 86 PID 4808 wrote to memory of 444 4808 Pviwil.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe"C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exeC:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Roaming\Pviwil.exe"C:\Users\Admin\AppData\Roaming\Pviwil.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Roaming\Pviwil.exeC:\Users\Admin\AppData\Roaming\Pviwil.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"6⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:444
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5cb295ed32b0acd9eac87bcc961fb315a
SHA1a580f2d38c9d1611e25b6aaa3d79b54eb34d3ebe
SHA256980abeaa872503211925db8acf8bdcdff0bc3c6deb2182fd698f6a444d2625be
SHA512974f48bdfb8ea90a49cfa25cacc98c9a145702f4e4967dd6ffddd5eaee6144189499682e80b342708e04f812006314b04e5715492170d0f63c7b0530e9cd399a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD568e06f56874544e073dfdc95247f8cb6
SHA112e5706084a251da32a1079ad3bd8718bf53a50b
SHA2564d0a1a8120b3f782da004aaba32501ee69cb6fb516e42f2294417e297f603678
SHA512eb8a05ec4d76a31ed0f55e379d236ebe3a4ae90784f3afecc5fefdecd35a0b0bf2965bf892551433b6041b2d1edcf64bae1fe15b6e335edd4287af3f9a815cbc
-
Filesize
354KB
MD51f04108924a073198369170e9ccec248
SHA1bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c
SHA256ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7
SHA512a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851
-
Filesize
354KB
MD51f04108924a073198369170e9ccec248
SHA1bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c
SHA256ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7
SHA512a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851
-
Filesize
354KB
MD51f04108924a073198369170e9ccec248
SHA1bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c
SHA256ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7
SHA512a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851