Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 14:46
Behavioral task
behavioral1
Sample
209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe
-
Size
479KB
-
MD5
d51d291cddbeb4e6277e7cc0553cb830
-
SHA1
418739f762a23d7e5bdcf1e15f44cdf9237175a9
-
SHA256
209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8
-
SHA512
e54e5511f81596ce1ee2fc87c5ab76347b29585c9761665f4c5dcab786677c772926ed09ff2c255445d48293367ffd6d602a1fcb274b1607ca531cf0119c34aa
-
SSDEEP
12288:Z8/p7VZrTjcvg9OmLP2NrHD0DZ+e32APuGw:e/dVZrG5kux052APA
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A525CB61-7108-11ED-A45B-DAC72961D548} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006807de1a2e08d94eb0b62dcfcec864d200000000020000000000106600000001000020000000d7ccfdbd1aac862382b34bb4e34b7c7087bab51639eca12b89d6365250c37c52000000000e80000000020000200000006d17c9bd574a40824101be4a7cfc0cc204f81188e1f02242f32ca13c083a71a920000000830a81aee9fadb01f56f988220d1efd44f049b9d4980a831155fb0cf71426c274000000050d59a7562e1d575b349b45933493642fd5f6dfa07ea69847058d3f4e22320a95b5e4b79375072d89854d47f59d4e193881e1a09f37eeeb4fdca5d148975708e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006807de1a2e08d94eb0b62dcfcec864d2000000000200000000001066000000010000200000000d84b93ade59dda867eb7cd6ebcb85a198726a95e5fc68bb6c16cbd0092fd6fb000000000e80000000020000200000007594df343ab461ad27778a71f20ed1f229873a3dd39b276dc8a3b3073fe814f6900000009f26b9f4596ffe4836475ae5db1615a2415dbe05dbfc965801a43e96dfb7216ab2a6e716bf5f67cea36a46cdf74595b7f8fd3f85f7cf92a6989e1f94448259bffd461600e2132657cd7cac62016f42e0c97382c7a2c144298b6f5b6903012a80ac508f183bcb68f78480fb3522a7319a53b3704447aa3d4376e76740a79aa4738905f83a92abe7cd59892817074ca4e640000000f6eaefbaeaa4c599bf244821183c4daf26ecb65dfc3fcdae020b4fade11a61e0ca9baf6485f9514f2aab1e133b96ba8b176dc9a2c6584747817eb9f15a589654 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0013137b1505d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376616721" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 516 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1460 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe 1460 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe 516 iexplore.exe 516 iexplore.exe 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1460 wrote to memory of 516 1460 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe 29 PID 1460 wrote to memory of 516 1460 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe 29 PID 1460 wrote to memory of 516 1460 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe 29 PID 1460 wrote to memory of 516 1460 209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe 29 PID 516 wrote to memory of 1272 516 iexplore.exe 30 PID 516 wrote to memory of 1272 516 iexplore.exe 30 PID 516 wrote to memory of 1272 516 iexplore.exe 30 PID 516 wrote to memory of 1272 516 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe"C:\Users\Admin\AppData\Local\Temp\209b71e5ab7b8cbd538b0fa08ad8276f25c99d552b9bba3c68cca8f0b4ea22b8.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://bbs.qzonebar.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
535B
MD51e42f2547c9a6b565f737c4abd878084
SHA1c556bc40021ce87c4c51e510a8a3bbf6cb3aec13
SHA2562c88e902c38b792672444ccfdefaf4621f08595cc3e2493924d9fa78691f8a08
SHA5127cb6eaa855b5e83f6ebba54f4a70543cba702d947aa5c4a263c7372a6518aad2895f422ea94024075b1e337dfd4380693203f3f193aaf6c408ae36e506735ff6