Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
Resource
win10v2004-20221111-en
General
-
Target
be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
-
Size
2.1MB
-
MD5
3329f833ac31ac3878721f49e181393d
-
SHA1
47b79d529e61c1b41c27a53b9c0e886a6f50a1df
-
SHA256
be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc
-
SHA512
29d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f
-
SSDEEP
24576:ptKb3axCoJgKuA0p1kXH2YNRRWH15ZYSR3T1i2UsDHMZWlZUgbVi0TD5mYbt7E:E3eCauJEN+nZYSp1i2UsQKZUaiqUCx
Malware Config
Extracted
nanocore
1.2.1.1
businessdb04.no-ip.biz:9400
businessdb02.noip.me:9400
c31c026e-c64b-4780-aa3d-297739f57e00
-
activate_away_mode
true
-
backup_connection_host
businessdb02.noip.me
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-11-14T21:30:41.201157736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9400
-
default_group
USA
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c31c026e-c64b-4780-aa3d-297739f57e00
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
businessdb04.no-ip.biz
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\windows.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 1712 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 1600 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 1600 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1600 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe Token: SeDebugPrivilege 1600 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2028 wrote to memory of 280 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 27 PID 2028 wrote to memory of 280 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 27 PID 2028 wrote to memory of 280 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 27 PID 2028 wrote to memory of 280 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 27 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 2028 wrote to memory of 1600 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 30 PID 280 wrote to memory of 1532 280 cmd.exe 29 PID 280 wrote to memory of 1532 280 cmd.exe 29 PID 280 wrote to memory of 1532 280 cmd.exe 29 PID 280 wrote to memory of 1532 280 cmd.exe 29 PID 1532 wrote to memory of 564 1532 wscript.exe 31 PID 1532 wrote to memory of 564 1532 wscript.exe 31 PID 1532 wrote to memory of 564 1532 wscript.exe 31 PID 1532 wrote to memory of 564 1532 wscript.exe 31 PID 564 wrote to memory of 240 564 cmd.exe 33 PID 564 wrote to memory of 240 564 cmd.exe 33 PID 564 wrote to memory of 240 564 cmd.exe 33 PID 564 wrote to memory of 240 564 cmd.exe 33 PID 2028 wrote to memory of 1708 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 34 PID 2028 wrote to memory of 1708 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 34 PID 2028 wrote to memory of 1708 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 34 PID 2028 wrote to memory of 1708 2028 be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe 34 PID 1708 wrote to memory of 1712 1708 cmd.exe 36 PID 1708 wrote to memory of 1712 1708 cmd.exe 36 PID 1708 wrote to memory of 1712 1708 cmd.exe 36 PID 1708 wrote to memory of 1712 1708 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe"C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\windows.exe" /f5⤵
- Modifies WinLogon for persistence
PID:240
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exeC:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:1712
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
70B
MD523f72401196919748c14cb64c1d55c3b
SHA1869e3809cb4391e6f5aee5349a871e40a1e1fb22
SHA256d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11
SHA5122ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1
-
Filesize
270B
MD5fb61fb483ef4e9b18561f9d73e1aa135
SHA10c33b58761fc24453ef6a249503cc493fc22b2ca
SHA2563db85f877de10a4640f53f29495c7f9783a2497555d627015bd05450a19535a7
SHA51265c872e06132b527646e1755129d56168042192e278066adbf093649e76566adb9e4e986fad24d8677edc6c533164373f60776dbc2bbf140481ad9ed31d2860b
-
Filesize
212B
MD5b0e98b341bbc605009d9c223f94f253e
SHA191676ce4fa39752102918ef62badd8dc4e7d88fc
SHA256da455367db63e08fb4ea20c2a0688b5f88a9e5b9db331b2183967c1c48420042
SHA5120e97f3ca37a9dde0b18e75ae36edac7ebccc5b73aafc16f2e53f9b811d184de0ff9857e628f90df727822e42e694fde452e30c25fa3117b5eaab64897a89e055
-
Filesize
2.1MB
MD53329f833ac31ac3878721f49e181393d
SHA147b79d529e61c1b41c27a53b9c0e886a6f50a1df
SHA256be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc
SHA51229d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f