Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2022, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe
Resource
win10v2004-20221111-en
General
-
Target
b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe
-
Size
64KB
-
MD5
3799963170fcfcfaa0018a518c0c8888
-
SHA1
47e93d61871b92ef054b3938b8bc4155554e1cbd
-
SHA256
b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4
-
SHA512
5919c6f155c14100458cd30eb74fbdbf3ec8edacdf855cabd2215006e544a3675fd360d940257185b9b9aef67547154002a2b3592337342f39a50969df6c26ea
-
SSDEEP
1536:gUzp5/Ur2iwzWNyp7k1XXROdY25cJEJdTyhc01Z2RUG:dzp5TiwzWmkHv25l4c+a
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ouixil = "C:\\Users\\Admin\\AppData\\Roaming\\Ouixil.scr" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376190203" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C0CCE859-72A3-11ED-BF5F-C2D7A23AFBD4} = "0" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe Token: SeDebugPrivilege 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe Token: SeDebugPrivilege 1836 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2588 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2588 IEXPLORE.EXE 2588 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 232 wrote to memory of 1836 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 87 PID 232 wrote to memory of 1836 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 87 PID 232 wrote to memory of 1836 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 87 PID 1836 wrote to memory of 2588 1836 iexplore.exe 88 PID 1836 wrote to memory of 2588 1836 iexplore.exe 88 PID 232 wrote to memory of 1836 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 87 PID 232 wrote to memory of 1836 232 b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe 87 PID 2588 wrote to memory of 4796 2588 IEXPLORE.EXE 89 PID 2588 wrote to memory of 4796 2588 IEXPLORE.EXE 89 PID 2588 wrote to memory of 4796 2588 IEXPLORE.EXE 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe"C:\Users\Admin\AppData\Local\Temp\b2e9676872a44efc96894c89af1f725f645bbfcfe02be72bd9abe2a5f3c08fa4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4796
-
-
-