Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

4af1f894b3...37.exe

windows7-x64

8

4af1f894b3...37.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4af1f894b3735602812e010e429183034a2450d21f98c8a1d1a34910052ebc37.exe

  • Size

    349KB

  • MD5

    349eec488fb1bac558c6df35a8b9f4f6

  • SHA1

    c905d5735a43afbb3ca47e47e7627ed3878f7ce7

  • SHA256

    4af1f894b3735602812e010e429183034a2450d21f98c8a1d1a34910052ebc37

  • SHA512

    0dd96ed854a2fd4d4397dd59c9b595a1aca339883052dc8bb8c85b5fd86f25ae4074a26de1e951047119aa390373835daae038f3860b343a3ef7993b6f726b8c

  • SSDEEP

    6144:ye34zV2nu/EJXAF8u1qBhGNy4909VezjiGF+nh9CUZLcb+FL79k:snEJXs1q2N1906jidGUZLcb+Fn9k

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4af1f894b3735602812e010e429183034a2450d21f98c8a1d1a34910052ebc37.exe
    "C:\Users\Admin\AppData\Local\Temp\4af1f894b3735602812e010e429183034a2450d21f98c8a1d1a34910052ebc37.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk53.icw"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk53.icw"
        3⤵
          PID:1924
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1388
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1804
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4196
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4196 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\EditPlus\kk53.icw
        Filesize

        132B

        MD5

        da4c29b9c6ad4d8deeca78f6aa617e89

        SHA1

        46bbc86b6d7ad996a103679a9faa49a96fac30f5

        SHA256

        40805eb8f47416f3bc600f54cddb73e1daa82b65c9a8abdf9626010b61e1463f

        SHA512

        c61e9426f5ec789b371b5cf65de72f33b8e4aa057a29351c6f62c823aec69b23c9ea8397b931de0cfbd7c1f952c1d98bede36d65f5df7ef98a8a591e8fa31431

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsx8F74.tmp\System.dll
        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsx8F74.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsx8F74.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk53.icw
        Filesize

        843B

        MD5

        187ee999528a5cd2449f56d525023e5d

        SHA1

        0fd376a3fed66818dc51ed9b90208a17fd53f240

        SHA256

        1385d5e7026687516e4cd115146d110c2b0bd456ba349f697cb4d1d740657729

        SHA512

        956a260f128dea87d20db444bcd168197c3cab15e942fba09994cd039ecde833cad5ce5ab0f1899de9f666bc869f6af30cf3f1e8fe5da0839ddd08a01d6bff82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        271d838f235c3d77964909b79e05cc3d

        SHA1

        e88316549fcbe9c4b4cec8001b63f439884974b9

        SHA256

        1919f130b200be8591051f325137fe0a976295c73f325853ca8167c7da53717e

        SHA512

        1a361ad7c4d9fe217a4fe9ae3056c09a2769941a1377cb91c414453c7cc0d54bc729fae3648c3369d619e86a2c2a2143894726fba657821dca482b8bf7a75419

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        271d838f235c3d77964909b79e05cc3d

        SHA1

        e88316549fcbe9c4b4cec8001b63f439884974b9

        SHA256

        1919f130b200be8591051f325137fe0a976295c73f325853ca8167c7da53717e

        SHA512

        1a361ad7c4d9fe217a4fe9ae3056c09a2769941a1377cb91c414453c7cc0d54bc729fae3648c3369d619e86a2c2a2143894726fba657821dca482b8bf7a75419

        Download Submit