Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

04dcf9abfd...e7.exe

windows7-x64

8

04dcf9abfd...e7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    202s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7.exe

  • Size

    38KB

  • MD5

    5c562d1687f6c8bec635c79516dc46b0

  • SHA1

    46c063902191f87129420fc59434e100b1618eb6

  • SHA256

    04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7

  • SHA512

    e143ee9cf05ba522f5220a363ed77664a8815f91a12d014f332d945553d9745ead51b854aaefd5f44bf31c8347b419feaba62195b2a7efc43d90392f14b06932

  • SSDEEP

    768:zn3ZTZaMKHOcgfThJlKK0gob24ODM27dMxoD0l8r11c:zpkMKFgQK0gH4O4odRD0M1W

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7.exe
    "C:\Users\Admin\AppData\Local\Temp\04dcf9abfda8ec71568796216036dedac02d3e98531a70e089b05e030af1fae7.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Local\Temp\ins4AD4.tmp
        C:\Users\Admin\AppData\Local\Temp\ins4AD4.tmp accmp_config.tmp
        3⤵
        • Executes dropped EXE
        PID:936
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        PID:3584
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
        3⤵
        • Drops file in Windows directory
        PID:2104
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://121.14.155.219:9091/report3.ashx?m=72-18-A8-97-07-DE&mid=21663&tid=1&d=37830b37b72be4c926dda0a91f4b6a7b&uid=13729&t=
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5108 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4436
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4712 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1300
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\04DCF9~1.EXE > nul
      2⤵
        PID:3100

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8EC000AC-7309-11ED-919F-7218A89707DE}.dat
      Filesize

      5KB

      MD5

      495447b36fab3714995e9cb1d3fc492a

      SHA1

      aa0b244fe4ee4c2a4f6ba1c1d21139656602ce9d

      SHA256

      ecd4ef52734686e923fb29d6db73b51c53b5919bc1c61789b11a21f56caf6a8e

      SHA512

      ffd2d1fcf0442a9f3539485426e4e4abbacbcffda073f10429e156867c500db8874da33e23e5edcb7fef19fe1ffc0a3ed7d06b9a5a3e136ecb9e8e63dbea1f9e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8EC027BC-7309-11ED-919F-7218A89707DE}.dat
      Filesize

      5KB

      MD5

      834fa8100c21e9c91d91cb1a82667a66

      SHA1

      4b498e8b38a1b7cf4bd769a211da6bddee7e7317

      SHA256

      da636f4493f7e7b044eb288a4a910a4ad4643d0526efcf9da42fd40eccceaa92

      SHA512

      9b0b07a4f0e95fcc5fc06bcfa4d279c18d44df69e30614649d7af441f712393fcb22e49c0c4f08369efdfd39042ae25e9308e8b1a5c3bff32871e30cc2c0176c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\accmp_config.tmp
      Filesize

      779B

      MD5

      264e1664e26196fd42d2da623098c343

      SHA1

      482fbd971bf2f5b00ec06983189daf5e8fb530cc

      SHA256

      89e4256ffc8d947f2b361d2b8e59857bb1c49d042d290c7dd4ebd5d41b7a082a

      SHA512

      fbdbda204363a89dacdf0e86f5b71b5dc4c2960e4b970be8c24c76d633cfc1368f9cece62537ef83a36040282fcac4d0676cec2e8a7252fcfd439357d2878dda

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ins4AD4.tmp
      Filesize

      57.2MB

      MD5

      eec0d54f1a5002ac15ddaef966c5393f

      SHA1

      33b3009d2d366e6a120409e413eb06598cf9ac26

      SHA256

      59688150c5576105342550021bddab12836a590c276fba0b0400dc62dc80afdc

      SHA512

      d26f8890821403ab3f4eae9f940f6ee483efbf4168ebe2f4bf835739baa51c953b4af38c934d18239327ecb95000b85ba829aa0c548615b7cc07b23dfabfe091

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ins4AD4.tmp
      Filesize

      57.2MB

      MD5

      eec0d54f1a5002ac15ddaef966c5393f

      SHA1

      33b3009d2d366e6a120409e413eb06598cf9ac26

      SHA256

      59688150c5576105342550021bddab12836a590c276fba0b0400dc62dc80afdc

      SHA512

      d26f8890821403ab3f4eae9f940f6ee483efbf4168ebe2f4bf835739baa51c953b4af38c934d18239327ecb95000b85ba829aa0c548615b7cc07b23dfabfe091

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
      Filesize

      62B

      MD5

      7b512576bae1f5d1ea6ef366ee050d81

      SHA1

      609b766dbb75abb99fe164777283aaaa3880e14f

      SHA256

      15462785c26ef2665aa5d918d1aa53bb5c8b367211a2114140df8eb11ce4a5e6

      SHA512

      a04329390d4ef10db4af7d3324eb2f9f0a3921bbf2c753a4c3fd6e492ec32c19efb0de879a79a3c37261564efc5a79e5189bd448f1c5cb162507728aaecab2fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
      Filesize

      94B

      MD5

      d5fc3a9ec15a6302543438928c29e284

      SHA1

      fd4199e543f683a8830a88f8ac0d0f001952b506

      SHA256

      b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

      SHA512

      4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
      Filesize

      98B

      MD5

      8663de6fce9208b795dc913d1a6a3f5b

      SHA1

      882193f208cf012eaf22eeaa4fef3b67e7c67c15

      SHA256

      2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

      SHA512

      9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
      Filesize

      475B

      MD5

      7435d786e086d63639c02a3f39cecf84

      SHA1

      a4d70109c0099e46e2cb17c92c1eb901b0744d46

      SHA256

      376c35bd15ab9fb651cec5008e8ad5b5b894a5219a1f887199971a0c5a5c2598

      SHA512

      3db60a0722b302bf48725e9cf78b2683e32ffd65a6f7bebb218eb0e0d2db1922b64678636013d9bf83368e5f5f64794678a9f657897bba541f2749b71da09edc

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
      Filesize

      425B

      MD5

      da68bc3b7c3525670a04366bc55629f5

      SHA1

      15fda47ecfead7db8f7aee6ca7570138ba7f1b71

      SHA256

      73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

      SHA512

      6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

      Download Submit

    • memory/936-151-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4288-132-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4288-150-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4288-134-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4288-133-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download