Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29/11/2022, 03:43
General
-
Target
712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe
-
Size
45KB
-
MD5
065403bcd78f5ef01ae779a88cd50eb7
-
SHA1
447f03c372852d16856e22410e56d2b1a2d0dd5d
-
SHA256
712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734
-
SHA512
9095d612418f75d7253cc9aadda4412a2137832a4095be1eaeafb5fea05eb94ac8a2c86495c3cd1700c411fe545192f8db953b92720704e904c6e6c9e942f175
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXa:EOxyeFo6NPCAosxYyXdF5oy3VoKa
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 15 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe"C:\Users\Admin\AppData\Local\Temp\712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB