Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

04dcf9abfd...e7.exe

windows7-x64

8

04dcf9abfd...e7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    203s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7.exe

  • Size

    38KB

  • MD5

    5c562d1687f6c8bec635c79516dc46b0

  • SHA1

    46c063902191f87129420fc59434e100b1618eb6

  • SHA256

    04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7

  • SHA512

    e143ee9cf05ba522f5220a363ed77664a8815f91a12d014f332d945553d9745ead51b854aaefd5f44bf31c8347b419feaba62195b2a7efc43d90392f14b06932

  • SSDEEP

    768:zn3ZTZaMKHOcgfThJlKK0gob24ODM27dMxoD0l8r11c:zpkMKFgQK0gH4O4odRD0M1W

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7.exe
    "C:\Users\Admin\AppData\Local\Temp\04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Users\Admin\AppData\Local\Temp\ins2B36.tmp
        C:\Users\Admin\AppData\Local\Temp\ins2B36.tmp accmp_config.tmp
        3⤵
        • Executes dropped EXE
        PID:936
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
        3⤵
        • Drops file in Windows directory
        PID:1776
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://121.14.155.219:9091/report3.ashx?m=EE-BA-1A-0F-FC-D1&mid=21663&tid=1&d=9ff95a19731d2e4ff32f6f293d4e33b8&uid=13729&t=
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:336
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:892
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:480
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:480 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\04DCF9~1.EXE > nul
      2⤵
      • Deletes itself
      PID:592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8EA976E0-7309-11ED-91E9-EEBA1A0FFCD1}.dat
    Filesize

    3KB

    MD5

    f5ff9d4d78a523f46eec32125e0db599

    SHA1

    092ca9c81bb448074899327cf95e23b83bba21ca

    SHA256

    cbe5a09a15e3f264721b176ff75a4a631e958322cbaef9bec5babb7ec6cc3a12

    SHA512

    d408c95f957a7d480380aa7e70ca700c88680e4ad929e51eed06a4b6ebc85d2c5277dacaf062a0b9f9598d67635fc22acac3078a30412803a78c850c55914caa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8EA976E0-7309-11ED-91E9-EEBA1A0FFCD1}.dat
    Filesize

    5KB

    MD5

    3660b0a583f14a8d50341781b469dbd2

    SHA1

    bcf2f6c4578a175996d5630771b4890fdeeae374

    SHA256

    bce48ec911d3cf211b9f5ec0aae9dc5e0373aa8a7b9bd6837a559d5eee169111

    SHA512

    9ae8197e48a7e9b9c3ff06d69d5be41e7a4180ae3142c8daf31653985d9e737c33a3b7650fbdea4eb1994c5801f2bea07f08d697669ae5f40f3bbecf06c829df

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8EA9C500-7309-11ED-91E9-EEBA1A0FFCD1}.dat
    Filesize

    3KB

    MD5

    ef2e93888fc8dd91353f6ef35f7a0df3

    SHA1

    72480f81b15bcbaff07db6629461b10b374f4626

    SHA256

    e23bb43b6111df58ee5d1e36dc402e33172785f89e89625d0838bb4137f2cb07

    SHA512

    77fc9322f9201f01464a87f60a731dbcae4bf8c691cfb5a8570d0868717a0c2f9bb8c5ecf5d73545bdb0a1a5ade8685ce78fb20452334acb5edc4eb606cfe256

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\accmp_config.tmp
    Filesize

    779B

    MD5

    264e1664e26196fd42d2da623098c343

    SHA1

    482fbd971bf2f5b00ec06983189daf5e8fb530cc

    SHA256

    89e4256ffc8d947f2b361d2b8e59857bb1c49d042d290c7dd4ebd5d41b7a082a

    SHA512

    fbdbda204363a89dacdf0e86f5b71b5dc4c2960e4b970be8c24c76d633cfc1368f9cece62537ef83a36040282fcac4d0676cec2e8a7252fcfd439357d2878dda

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ins2B36.tmp
    Filesize

    122.8MB

    MD5

    cf56ca10e58131280ce62b7d03160886

    SHA1

    33e82bb70a8ec343449e910cd2f226dcf8de3a4e

    SHA256

    858f047abca8f0576dbf388d2acaf47383fe1e66436f3d327307655aace31140

    SHA512

    82b607109851fbc6b1da0bb49b7cb1c7deac68a6ea3c070b4207dd2c5143b42224dacc5df961acf55ddf4e1acba4755c8adfee044052f556c8eee46cb72629f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ins2B36.tmp
    Filesize

    122.8MB

    MD5

    cf56ca10e58131280ce62b7d03160886

    SHA1

    33e82bb70a8ec343449e910cd2f226dcf8de3a4e

    SHA256

    858f047abca8f0576dbf388d2acaf47383fe1e66436f3d327307655aace31140

    SHA512

    82b607109851fbc6b1da0bb49b7cb1c7deac68a6ea3c070b4207dd2c5143b42224dacc5df961acf55ddf4e1acba4755c8adfee044052f556c8eee46cb72629f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    62B

    MD5

    ec036d076a304f84d0afc9900181700c

    SHA1

    fcaa924491d12eb9711bb88e10546de693ef20a2

    SHA256

    078a3dedf1378f43ff4fb11bd009a63ee5c1eda9c2b9fca99908f83a54e4fb6a

    SHA512

    2b3b4bada4d4417e7e014aa4f841284908ab11a1489a7fc1a49aa036a741f5b9a4fc0c991a0e48f2073d111d5e0f44880bdac208e41e71e04603d158543e9c4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
    Filesize

    94B

    MD5

    d5fc3a9ec15a6302543438928c29e284

    SHA1

    fd4199e543f683a8830a88f8ac0d0f001952b506

    SHA256

    b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

    SHA512

    4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
    Filesize

    98B

    MD5

    8663de6fce9208b795dc913d1a6a3f5b

    SHA1

    882193f208cf012eaf22eeaa4fef3b67e7c67c15

    SHA256

    2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

    SHA512

    9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
    Filesize

    475B

    MD5

    7435d786e086d63639c02a3f39cecf84

    SHA1

    a4d70109c0099e46e2cb17c92c1eb901b0744d46

    SHA256

    376c35bd15ab9fb651cec5008e8ad5b5b894a5219a1f887199971a0c5a5c2598

    SHA512

    3db60a0722b302bf48725e9cf78b2683e32ffd65a6f7bebb218eb0e0d2db1922b64678636013d9bf83368e5f5f64794678a9f657897bba541f2749b71da09edc

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
    Filesize

    425B

    MD5

    da68bc3b7c3525670a04366bc55629f5

    SHA1

    15fda47ecfead7db8f7aee6ca7570138ba7f1b71

    SHA256

    73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

    SHA512

    6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ins2B36.tmp
    Filesize

    122.8MB

    MD5

    cf56ca10e58131280ce62b7d03160886

    SHA1

    33e82bb70a8ec343449e910cd2f226dcf8de3a4e

    SHA256

    858f047abca8f0576dbf388d2acaf47383fe1e66436f3d327307655aace31140

    SHA512

    82b607109851fbc6b1da0bb49b7cb1c7deac68a6ea3c070b4207dd2c5143b42224dacc5df961acf55ddf4e1acba4755c8adfee044052f556c8eee46cb72629f3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ins2B36.tmp
    Filesize

    122.8MB

    MD5

    cf56ca10e58131280ce62b7d03160886

    SHA1

    33e82bb70a8ec343449e910cd2f226dcf8de3a4e

    SHA256

    858f047abca8f0576dbf388d2acaf47383fe1e66436f3d327307655aace31140

    SHA512

    82b607109851fbc6b1da0bb49b7cb1c7deac68a6ea3c070b4207dd2c5143b42224dacc5df961acf55ddf4e1acba4755c8adfee044052f556c8eee46cb72629f3

    Download Submit

  • memory/936-77-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/984-76-0x00000000002F0000-0x00000000002F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/984-72-0x00000000002F0000-0x00000000002F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2024-79-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2024-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2024-57-0x0000000000900000-0x000000000090A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2024-56-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2024-55-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download