Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1100.exe
windows7-x64
8100.exe
windows10-2004-x64
10101.exe
windows7-x64
1101.exe
windows10-2004-x64
1102.exe
windows7-x64
8102.exe
windows10-2004-x64
5103.exe
windows7-x64
8103.exe
windows10-2004-x64
1105.exe
windows7-x64
10105.exe
windows10-2004-x64
10106.exe
windows7-x64
8106.exe
windows10-2004-x64
1107.exe
windows7-x64
6107.exe
windows10-2004-x64
6108.exe
windows7-x64
10108.exe
windows10-2004-x64
10109.exe
windows7-x64
10109.exe
windows10-2004-x64
5110.exe
windows7-x64
10110.exe
windows10-2004-x64
10111.exe
windows7-x64
10111.exe
windows10-2004-x64
10112.exe
windows7-x64
8112.exe
windows10-2004-x64
7113.exe
windows7-x64
10113.exe
windows10-2004-x64
10114.exe
windows7-x64
10114.exe
windows10-2004-x64
8115.exe
windows7-x64
10115.exe
windows10-2004-x64
10116.exe
windows7-x64
8116.exe
windows10-2004-x64
7Analysis
-
max time kernel
156s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
100.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
100.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
101.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
101.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
102.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
102.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
103.exe
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
103.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
105.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
105.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
106.exe
Resource
win7-20220901-en
Behavioral task
behavioral12
Sample
106.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
107.exe
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
107.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
108.exe
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
108.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
109.exe
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
109.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral19
Sample
110.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
110.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral21
Sample
111.exe
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
111.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
112.exe
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
112.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
113.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
113.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral27
Sample
114.exe
Resource
win7-20220901-en
Behavioral task
behavioral28
Sample
114.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral29
Sample
115.exe
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
115.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
116.exe
Resource
win7-20220901-en
Behavioral task
behavioral32
Sample
116.exe
Resource
win10v2004-20221111-en
General
-
Target
110.exe
-
Size
242KB
-
MD5
c0224c4d9628b324db1af4d9007fa46c
-
SHA1
1d264386f3d36b28f78f3cba45c189e0c065ce16
-
SHA256
673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984
-
SHA512
339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03
-
SSDEEP
3072:5hmeYAv6OUGsjtZfSPAnk2eFkf2zXm5XHxXQ41lfmLjCsyQQHX0LTvNaJS7X9hkg:JYAUGs/fSPAkDFKXJHQgENaU7X9h
Malware Config
Extracted
pony
http://exportservices.co.in/david/Panel/gate.php
-
payload_url
http://exportservices.co.in/david/Panel/shit.exe
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3420 AeLookupSvi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 110.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe" AeLookupSvi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4392 set thread context of 2132 4392 110.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe 4392 110.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4392 110.exe Token: SeDebugPrivilege 3420 AeLookupSvi.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 2132 4392 110.exe 86 PID 4392 wrote to memory of 3420 4392 110.exe 88 PID 4392 wrote to memory of 3420 4392 110.exe 88 PID 4392 wrote to memory of 3420 4392 110.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\110.exe"C:\Users\Admin\AppData\Local\Temp\110.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\110.exe"C:\Users\Admin\AppData\Local\Temp\110.exe"2⤵PID:2132
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50ad079e611cf1a31bc5b01ee17fe607d
SHA1d769361e8d0289cfc79adb2b0a5e6f3b9af33c15
SHA2568a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5
SHA512f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05
-
Filesize
8KB
MD50ad079e611cf1a31bc5b01ee17fe607d
SHA1d769361e8d0289cfc79adb2b0a5e6f3b9af33c15
SHA2568a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5
SHA512f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05
-
Filesize
242KB
MD5c0224c4d9628b324db1af4d9007fa46c
SHA11d264386f3d36b28f78f3cba45c189e0c065ce16
SHA256673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984
SHA512339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03