Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
Resource
win10v2004-20220901-en
General
-
Target
8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
-
Size
109KB
-
MD5
2cc89125f41c7f0b43a2270bab95f59b
-
SHA1
52872c01673f3de64f2abcb038bd2ad2f19c9b71
-
SHA256
8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d
-
SHA512
b7cbc407caf3a3ec10e73561c06daf1dd4af851d6e1c77d6fa7d6fab91c50bf3a3f1f7c10670d161c70ba5c84e9ac07ffd1263b298a9949c45321f22920a1dd9
-
SSDEEP
1536:onX6P2JU6nCbtEDbPjg5shQ/G1VyZJAVY53rfL8iL/3p5PKtOPc6BVWFyVsG:HOJU6n+irC8VyZGVw7L8iLBYtIHUyVd
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Unicode_Normalization\pARAMETERS\sERVICEdLL = "C:\\Windows\\system32\\softpus.dll" regsvr32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
pid Process 2216 regsvr32.exe 2888 Svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\softpus.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\softpus.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3196 tasklist.exe -
Kills process with taskkill 1 IoCs
pid Process 744 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2248 PING.EXE 3952 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3196 tasklist.exe Token: SeDebugPrivilege 744 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4868 wrote to memory of 1028 4868 8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe 81 PID 4868 wrote to memory of 1028 4868 8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe 81 PID 4868 wrote to memory of 1028 4868 8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe 81 PID 1028 wrote to memory of 3260 1028 WScript.exe 82 PID 1028 wrote to memory of 3260 1028 WScript.exe 82 PID 1028 wrote to memory of 3260 1028 WScript.exe 82 PID 3260 wrote to memory of 2216 3260 cmd.exe 84 PID 3260 wrote to memory of 2216 3260 cmd.exe 84 PID 3260 wrote to memory of 2216 3260 cmd.exe 84 PID 3260 wrote to memory of 2248 3260 cmd.exe 85 PID 3260 wrote to memory of 2248 3260 cmd.exe 85 PID 3260 wrote to memory of 2248 3260 cmd.exe 85 PID 3260 wrote to memory of 3196 3260 cmd.exe 87 PID 3260 wrote to memory of 3196 3260 cmd.exe 87 PID 3260 wrote to memory of 3196 3260 cmd.exe 87 PID 3260 wrote to memory of 3952 3260 cmd.exe 88 PID 3260 wrote to memory of 3952 3260 cmd.exe 88 PID 3260 wrote to memory of 3952 3260 cmd.exe 88 PID 3260 wrote to memory of 744 3260 cmd.exe 92 PID 3260 wrote to memory of 744 3260 cmd.exe 92 PID 3260 wrote to memory of 744 3260 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe"C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hy.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c hy.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 hy.dll4⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:2216
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:2248
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /svc4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im regsvr32.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:2888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f36b3892cd11fe578eadf0d4e49ebd70
SHA1e25898f1e58ecac39b050c6461e0e95dbf9eb70e
SHA256a4868b4d6a8bc27c4a4aee08bd04749dc37bdf24c43f036d9fde99c9542ca9e7
SHA512900a1d0daead103b03e14927caf915d27d0a2b73148a18e5adb635366bded86442d8cf618f65eda63eb8ff255750541ae155a01710c1ed62e1294449f81c1e43
-
Filesize
63KB
MD5dd61d349a7c099442135a102cbd342a4
SHA1fb9d361235f1954abd1842971e6c3bbf6d8981e5
SHA25686c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3
SHA51254366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf
-
Filesize
63KB
MD5dd61d349a7c099442135a102cbd342a4
SHA1fb9d361235f1954abd1842971e6c3bbf6d8981e5
SHA25686c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3
SHA51254366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf
-
Filesize
51B
MD5b622ecd01880270e1625c337249ba7d3
SHA1f1dad85b2dfa56d2b3ae507765ec96c56e51eb9c
SHA256d6d1f72224e9db4edbdf2bc900a816d3fe6aa95a9f547a10216a78d6ea722588
SHA5121a36d8781dc3fdf55b520ace190fe14b8787432b27ffc3b99104a40feb0abf1128c200e977ceb27cf31e9c80edac97eb28e5f11e935d839869b2a8b7550ffde0
-
Filesize
63KB
MD5dd61d349a7c099442135a102cbd342a4
SHA1fb9d361235f1954abd1842971e6c3bbf6d8981e5
SHA25686c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3
SHA51254366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf
-
Filesize
63KB
MD5dd61d349a7c099442135a102cbd342a4
SHA1fb9d361235f1954abd1842971e6c3bbf6d8981e5
SHA25686c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3
SHA51254366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf