Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
173s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
Resource
win10v2004-20221111-en
General
-
Target
196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe
-
Size
1.6MB
-
MD5
4cccc21fc45e1b65a646d0c55e9d0ac8
-
SHA1
e8fe3fbadda59888bdb6bf6d297638692e084959
-
SHA256
196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf
-
SHA512
8b8331b257c399e51a061990aee3bc6c1b17ada71b4166e7bb886c85be1cb4455a1d896b16df6417d9c298b457b65ca78ce0f65c5c8524d283a3fb30adc18c5c
-
SSDEEP
24576:GMv+gDEDgzmhiHP2EWPkPU04HrrFrUdtMnESJnQJE2/JKJ:GKzmIVJsFUcmE2/JKJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000388" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4093274140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000388" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1505F1B7-7338-11ED-919F-52DC8380D311} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4093274140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 680 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5072 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe 5072 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe 5072 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe 5072 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe 680 iexplore.exe 680 iexplore.exe 1640 IEXPLORE.EXE 1640 IEXPLORE.EXE 1640 IEXPLORE.EXE 1640 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5072 wrote to memory of 680 5072 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe 86 PID 5072 wrote to memory of 680 5072 196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe 86 PID 680 wrote to memory of 1640 680 iexplore.exe 87 PID 680 wrote to memory of 1640 680 iexplore.exe 87 PID 680 wrote to memory of 1640 680 iexplore.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe"C:\Users\Admin\AppData\Local\Temp\196a4d91e094ad2f5f9a6321dd95dfad0d55e3df95d2ab816ea4ef4c0562f8bf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.xiugua.net/wg/dnf/20130121/1754.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:680 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1640
-
-