Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 19:51
Static task
static1
Behavioral task
behavioral1
Sample
57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe
Resource
win10v2004-20220812-en
General
-
Target
57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe
-
Size
284KB
-
MD5
04d173a9e11d4c4116d495df2d9a6660
-
SHA1
2d99f8c5c95a557644c7d6c303510520cb0ff255
-
SHA256
57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5
-
SHA512
d77e16b2003284e22f6683ab529dc84908dd1dc0458b5126c3852bdf90a87308bec5b8b53181cd1aea830489f32fe6c91ba30bebf92412484a338c1a1103c60e
-
SSDEEP
3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lC:mPA6wxmuJspr2l
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\13942 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msgiidbcf.bat" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 3656 skyrpe.exe 2128 skyrpe.exe 4212 skyrpe.exe -
resource yara_rule behavioral2/memory/3696-135-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3696-137-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3696-138-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3696-141-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3696-150-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3696-164-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2128-167-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2128-168-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skyrpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 skyrpe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1080 set thread context of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 3656 set thread context of 2128 3656 skyrpe.exe 93 PID 3656 set thread context of 4212 3656 skyrpe.exe 94 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msgiidbcf.bat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4212 skyrpe.exe 4212 skyrpe.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4212 skyrpe.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe Token: SeDebugPrivilege 2128 skyrpe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 3656 skyrpe.exe 2128 skyrpe.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 1080 wrote to memory of 3696 1080 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 87 PID 3696 wrote to memory of 5096 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 88 PID 3696 wrote to memory of 5096 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 88 PID 3696 wrote to memory of 5096 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 88 PID 5096 wrote to memory of 1456 5096 cmd.exe 91 PID 5096 wrote to memory of 1456 5096 cmd.exe 91 PID 5096 wrote to memory of 1456 5096 cmd.exe 91 PID 3696 wrote to memory of 3656 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 92 PID 3696 wrote to memory of 3656 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 92 PID 3696 wrote to memory of 3656 3696 57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe 92 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 2128 3656 skyrpe.exe 93 PID 3656 wrote to memory of 4212 3656 skyrpe.exe 94 PID 3656 wrote to memory of 4212 3656 skyrpe.exe 94 PID 3656 wrote to memory of 4212 3656 skyrpe.exe 94 PID 3656 wrote to memory of 4212 3656 skyrpe.exe 94 PID 3656 wrote to memory of 4212 3656 skyrpe.exe 94 PID 3656 wrote to memory of 4212 3656 skyrpe.exe 94 PID 4212 wrote to memory of 3396 4212 skyrpe.exe 95 PID 4212 wrote to memory of 3396 4212 skyrpe.exe 95 PID 4212 wrote to memory of 3396 4212 skyrpe.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe"C:\Users\Admin\AppData\Local\Temp\57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe"C:\Users\Admin\AppData\Local\Temp\57e1b15cbdcc6fe5308ef05e1686bff246f3460b19d4f521e27a0579bd1738c5.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VLMJS.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f4⤵
- Adds Run key to start application
PID:1456
-
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
PID:3396
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD50654f004b2e314bad7f75867e91da37d
SHA14232c22e7340b12108d86e3cb35ed288a3dbc7f1
SHA256ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249
SHA512dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553
-
Filesize
284KB
MD5e80a828436452814a8a1871cf4f2a08d
SHA1b9c9c22835ad0ff0689ca6d968895be0edb428f7
SHA25627d9bdf225098d9260a9ebbda53c7969c701dcb6ab0e2f6324108b79e1bde0e5
SHA5129b0aa6bb0dd37bad418d0d18b6def4e8ad7e660174cb33aff038035efcf3d3c03af0a16e77bfb729b1aee5e192ca152aaa89f211fb1d31a8917579cb3b38eace
-
Filesize
284KB
MD5e80a828436452814a8a1871cf4f2a08d
SHA1b9c9c22835ad0ff0689ca6d968895be0edb428f7
SHA25627d9bdf225098d9260a9ebbda53c7969c701dcb6ab0e2f6324108b79e1bde0e5
SHA5129b0aa6bb0dd37bad418d0d18b6def4e8ad7e660174cb33aff038035efcf3d3c03af0a16e77bfb729b1aee5e192ca152aaa89f211fb1d31a8917579cb3b38eace
-
Filesize
284KB
MD5e80a828436452814a8a1871cf4f2a08d
SHA1b9c9c22835ad0ff0689ca6d968895be0edb428f7
SHA25627d9bdf225098d9260a9ebbda53c7969c701dcb6ab0e2f6324108b79e1bde0e5
SHA5129b0aa6bb0dd37bad418d0d18b6def4e8ad7e660174cb33aff038035efcf3d3c03af0a16e77bfb729b1aee5e192ca152aaa89f211fb1d31a8917579cb3b38eace
-
Filesize
284KB
MD5e80a828436452814a8a1871cf4f2a08d
SHA1b9c9c22835ad0ff0689ca6d968895be0edb428f7
SHA25627d9bdf225098d9260a9ebbda53c7969c701dcb6ab0e2f6324108b79e1bde0e5
SHA5129b0aa6bb0dd37bad418d0d18b6def4e8ad7e660174cb33aff038035efcf3d3c03af0a16e77bfb729b1aee5e192ca152aaa89f211fb1d31a8917579cb3b38eace