Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

bd614704d0...03.exe

windows7-x64

1

bd614704d0...03.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03.exe

  • Size

    54KB

  • MD5

    0624ea1569b397f4be8738dc38d06190

  • SHA1

    20642f4eb4d95e174195086c8eab7d77f534955e

  • SHA256

    bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03

  • SHA512

    6679bebebf3d56da5896a6ce532cee8e96b5a2993828cc86c136f8f2acfe9d48dc5f4bab4d237770b39ff42fcff6acd26edf8879787aab309ff12ef53057c04b

  • SSDEEP

    768:sVKm4GV4ujtuYgFC5IjezJckOyLb172+oEFZ0TORX3iSHWIwjkdLv/kcH5hUDrpe:sQKV1MyVckOG12TGX1HxwjkVnDhI+H1

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03.exe
    "C:\Users\Admin\AppData\Local\Temp\bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
        3⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:1564
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:340
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
          4⤵
            PID:3488
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            4⤵
            • Modifies registry class
            PID:112
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
            4⤵
            • Modifies registry class
            PID:228
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3540
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3528
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
            4⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              5⤵
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:3868
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                6⤵
                  PID:3744
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 D:\VolumeDH\inj.dat,MainLoad
              4⤵
                PID:2432
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4964
                • C:\PROGRA~1\INTERN~1\iexplore.exe
                  C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4244
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4244 CREDAT:17410 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:484
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
                  5⤵
                    PID:4100
            • C:\Users\Admin\AppData\Local\Temp\inlE33E.tmp
              C:\Users\Admin\AppData\Local\Temp\inlE33E.tmp
              2⤵
              • Executes dropped EXE
              • Checks computer location settings
              PID:3256
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BD6147~1.EXE > nul
              2⤵
                PID:4048

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\PROGRA~1\INTERN~1\IEFRAME.dll
              Filesize

              5.8MB

              MD5

              181acfc0cf7f3aea609d1e86619ddda8

              SHA1

              15bcdf20c614f39550f550248ebb5954f37b7ec6

              SHA256

              a1d6856fa8730e935788686694a6c5d3a8fc2130a94bde75fe3aadf584ee58cc

              SHA512

              d058d80e38d5703f8a36844ca032c4fb9ba37ba90ee20659555a9b6b3ced26e5653b0223d5c888962ec642d5ff8eaf41e84fab69ee554556dd1ec273580dc787

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              e32d02ce684c01ef3af05fae9066160e

              SHA1

              29c7a6e8ed553ac2765634265d1db041d6d422ec

              SHA256

              b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

              SHA512

              e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              a596306e119dc0f1e8d2527ad11ee94d

              SHA1

              fff0880823b9bd6ed6163ef9b4eb5e94b02dea90

              SHA256

              5ac6207033ae9543453d9de920a06a36a9a665320644fb3dfa29d5671e958f6e

              SHA512

              69c0a7e5354713e4316ff7540cd2e0bfde121fd9ab20de8e549022c10a0aa05d5d0e3aec4a7880f9022d1fc7c6d26604b4d26fda38e96ad083c43c039b67054d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat
              Filesize

              1KB

              MD5

              6d317779c46d365168c1c67bd1638418

              SHA1

              71f0d1901d5c29cf1d4c6d833abe49f4e4efd212

              SHA256

              c1e5c6d7648c401784d987cd5af70c638684f02f99562621bf95914656ef9b69

              SHA512

              b67d84451ea9ae12fae33fad9a91630bc337de244a23de4fc6b2d80db70c851d2abf993f03f6a4a1228f3131f357583d7059e228ebfb3d6290ec114de388e699

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
              Filesize

              791B

              MD5

              1706b41fd446b5718a8419c0fcb35d55

              SHA1

              d9bb8df22acdc60c754ac14982cf795df3b1b815

              SHA256

              5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

              SHA512

              68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\inlE33E.tmp
              Filesize

              57.2MB

              MD5

              9b002afffae7ad24d4d32aa661689271

              SHA1

              df2f16c4022aa50a017de7925761ed28311f0b42

              SHA256

              167ea2ce28250c9cc5d1270b87f8151fa509d148469de6faf578a34e0778a5c6

              SHA512

              42a91d33d0ff653a4d10c984197e62dd7707e389bfe968ba4a0edde340bd76b2f682b7f11187e8edcb096449491ed99455460c34b8ddb5d4cb4e49e6a0f68944

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\inlE33E.tmp
              Filesize

              57.2MB

              MD5

              9b002afffae7ad24d4d32aa661689271

              SHA1

              df2f16c4022aa50a017de7925761ed28311f0b42

              SHA256

              167ea2ce28250c9cc5d1270b87f8151fa509d148469de6faf578a34e0778a5c6

              SHA512

              42a91d33d0ff653a4d10c984197e62dd7707e389bfe968ba4a0edde340bd76b2f682b7f11187e8edcb096449491ed99455460c34b8ddb5d4cb4e49e6a0f68944

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat
              Filesize

              54B

              MD5

              504490369970f1c0eb580afbcdf91618

              SHA1

              b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

              SHA256

              a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

              SHA512

              5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

              Download Submit

            • C:\Users\Admin\AppData\Roaming\redload\1.bat
              Filesize

              3KB

              MD5

              493c22f6b15f9766ae7c23794fc77da0

              SHA1

              43723ba660dbc1486f717441b58298d33b9f2048

              SHA256

              478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182

              SHA512

              662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34

              Download Submit

            • C:\Users\Admin\AppData\Roaming\redload\1.inf
              Filesize

              410B

              MD5

              66a1f0147fed7ddd19e9bb7ff93705c5

              SHA1

              9d803c81ea2195617379b880b227892ba30b0bf6

              SHA256

              4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

              SHA512

              cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

              Download Submit

            • C:\Users\Admin\AppData\Roaming\redload\2.bat
              Filesize

              3KB

              MD5

              9432a2ddfba23a3e865bccdd0ef9a99d

              SHA1

              22b55a76e3460122dd0325d5d674b8823bb163e9

              SHA256

              b70153c2e23a208a2526e289ef2741c3a35f1bd38d43a1f69b356eb12e84ec15

              SHA512

              ec2a107efaace4d2f26edcf3e3b5619d3c7b51040c3575d61d07892b04af5dd9a55ff535b95b096edcb8abc5d9b232b5be763db5bc2e6f9456b0d3a347074e44

              Download Submit

            • C:\Users\Admin\AppData\Roaming\redload\2.inf
              Filesize

              248B

              MD5

              2197ffb407fb3b2250045c084f73b70a

              SHA1

              3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

              SHA256

              a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

              SHA512

              b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

              Download Submit

            • C:\Users\Admin\AppData\Roaming\redload\4.bat
              Filesize

              5.8MB

              MD5

              181acfc0cf7f3aea609d1e86619ddda8

              SHA1

              15bcdf20c614f39550f550248ebb5954f37b7ec6

              SHA256

              a1d6856fa8730e935788686694a6c5d3a8fc2130a94bde75fe3aadf584ee58cc

              SHA512

              d058d80e38d5703f8a36844ca032c4fb9ba37ba90ee20659555a9b6b3ced26e5653b0223d5c888962ec642d5ff8eaf41e84fab69ee554556dd1ec273580dc787

              Download Submit

            • memory/4244-171-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-192-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-160-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-164-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-166-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-165-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-168-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-169-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-170-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-225-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-172-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-173-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-174-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-176-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-178-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-180-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-181-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-182-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-183-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-184-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-186-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-189-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-191-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-190-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-161-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-193-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-194-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-195-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-196-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-200-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-201-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-202-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-203-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-204-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-209-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-210-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-211-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-212-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-213-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-214-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-216-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-224-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4244-219-0x00007FFFCF440000-0x00007FFFCF4AE000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4528-218-0x0000000000BD0000-0x0000000000BF5000-memory.dmp

              Filesize

              148KB

              Download

            • memory/4528-134-0x0000000000BD0000-0x0000000000BF5000-memory.dmp

              Filesize

              148KB

              Download

            • memory/4528-133-0x0000000000D50000-0x0000000000D53000-memory.dmp

              Filesize

              12KB

              Download

            • memory/4528-132-0x0000000000BD0000-0x0000000000BF5000-memory.dmp

              Filesize

              148KB

              Download