Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 15:22
Static task
static1
Behavioral task
behavioral1
Sample
f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe
Resource
win10v2004-20220812-en
General
-
Target
f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe
-
Size
1.9MB
-
MD5
30eaa685e0d2d0f85c65b1cc451c65dc
-
SHA1
659dfd4fd4a1e936ea05998df8fa05007f703308
-
SHA256
f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae
-
SHA512
79fc813ccebd6e5693adc0c9a8f8892275ac0d1e18e7bc31f135a4f2f559d6348521d157239b652e2c879adf2539372451a3f05a915e79df5e1fd10e619dcf5a
-
SSDEEP
49152:52OH89KmXrqT/VOB9raKOKJAw0tpKJIoMbwH0vU2AU/iQ2N5d8K5:52YaKmbgUraMJP0tUJGbwUNWt5
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Executes dropped EXE 5 IoCs
pid Process 4356 100k1Cheat.exe 260 runme.exe 4804 4konya.exe 936 mac.exe 1512 fabyope.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 4konya.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files (x86)\100k1Cheat\__tmp_rar_sfx_access_check_240576000 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File created C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\100k1Cheat\4konya.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\Hn\Ip\indurk.akk 4konya.exe File opened for modification C:\Program Files (x86)\Hn\Ip\Uninstall.exe 4konya.exe File opened for modification C:\Program Files (x86)\100k1Cheat f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\100k1Cheat\Interop.IWshRuntimeLibrary.dll f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\100k1Cheat\mac.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs 4konya.exe File created C:\Program Files\YaFinder\manifest.json mac.exe File created C:\Program Files (x86)\100k1Cheat\4konya.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File created C:\Program Files (x86)\100k1Cheat\Interop.IWshRuntimeLibrary.dll f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs 4konya.exe File opened for modification C:\Program Files (x86)\Hn\Ip\poajfmas.dd 4konya.exe File created C:\Program Files (x86)\Hn\Ip\Uninstall.ini 4konya.exe File created C:\PROGRA~3\Mozilla\fabyope.exe runme.exe File opened for modification C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File created C:\Program Files (x86)\100k1Cheat\runme.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\100k1Cheat\runme.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe File opened for modification C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat 4konya.exe File created C:\Program Files (x86)\100k1Cheat\mac.exe f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 672 1512 WerFault.exe 97 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 936 mac.exe 936 mac.exe 936 mac.exe 1512 fabyope.exe 1512 fabyope.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 936 mac.exe Token: SeBackupPrivilege 4940 dw20.exe Token: SeBackupPrivilege 4940 dw20.exe Token: SeDebugPrivilege 1512 fabyope.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4804 4konya.exe 4356 100k1Cheat.exe 4356 100k1Cheat.exe 1072 cmd.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4356 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 83 PID 4812 wrote to memory of 4356 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 83 PID 4812 wrote to memory of 4356 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 83 PID 4812 wrote to memory of 260 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 85 PID 4812 wrote to memory of 260 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 85 PID 4812 wrote to memory of 260 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 85 PID 4812 wrote to memory of 4804 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 86 PID 4812 wrote to memory of 4804 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 86 PID 4812 wrote to memory of 4804 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 86 PID 4812 wrote to memory of 936 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 87 PID 4812 wrote to memory of 936 4812 f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe 87 PID 4804 wrote to memory of 1072 4804 4konya.exe 88 PID 4804 wrote to memory of 1072 4804 4konya.exe 88 PID 4804 wrote to memory of 1072 4804 4konya.exe 88 PID 1072 wrote to memory of 1984 1072 cmd.exe 91 PID 1072 wrote to memory of 1984 1072 cmd.exe 91 PID 1072 wrote to memory of 1984 1072 cmd.exe 91 PID 1072 wrote to memory of 1812 1072 cmd.exe 93 PID 1072 wrote to memory of 1812 1072 cmd.exe 93 PID 1072 wrote to memory of 1812 1072 cmd.exe 93 PID 936 wrote to memory of 4940 936 mac.exe 98 PID 936 wrote to memory of 4940 936 mac.exe 98 PID 1512 wrote to memory of 2212 1512 fabyope.exe 46
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe"C:\Users\Admin\AppData\Local\Temp\f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe"C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4356
-
-
C:\Program Files (x86)\100k1Cheat\runme.exe"C:\Program Files (x86)\100k1Cheat\runme.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:260
-
-
C:\Program Files (x86)\100k1Cheat\4konya.exe"C:\Program Files (x86)\100k1Cheat\4konya.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat" "4⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs"5⤵
- Drops file in Drivers directory
PID:1984
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs"5⤵PID:1812
-
-
-
-
C:\Program Files (x86)\100k1Cheat\mac.exe"C:\Program Files (x86)\100k1Cheat\mac.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 15764⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
-
C:\PROGRA~3\Mozilla\fabyope.exeC:\PROGRA~3\Mozilla\fabyope.exe -pbtetmh1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 5562⤵
- Program crash
PID:672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1512 -ip 15121⤵PID:4160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5373c8e014449a379b8b630882dc7e33b
SHA12eddbd53f2a4c8efe671162ee89ef469a1fc4813
SHA256d5da209decd9aa04b7340a187f97b303ec0085a35c388cde7c1ebfcf3c72d0d2
SHA512e8aef9df46e9d0b0eeccdd475a62dcea68ff3330387238d7d3f692483774d6059c7e3dbe0441b6c214e7b16562bf48332ca7c34fe08a29e798e0342703cdc3d8
-
Filesize
1.3MB
MD5be3a5557474d103e6f1ee8367a9e2140
SHA154289142391461e1fa2038c2edfaad3e693196d1
SHA256dcf11b6d55aacddcd84d003bdb0540f49473aca37637da1ca5cdacbee4f51f39
SHA512027963f6cee8e48bca35e1bf0df37eb6041634821093ffb0c76ce7634cef108dceee731265b9d2238bb2353e44e2b7f5592c4f0d56051048e053981ac8a71d09
-
Filesize
1.3MB
MD5be3a5557474d103e6f1ee8367a9e2140
SHA154289142391461e1fa2038c2edfaad3e693196d1
SHA256dcf11b6d55aacddcd84d003bdb0540f49473aca37637da1ca5cdacbee4f51f39
SHA512027963f6cee8e48bca35e1bf0df37eb6041634821093ffb0c76ce7634cef108dceee731265b9d2238bb2353e44e2b7f5592c4f0d56051048e053981ac8a71d09
-
Filesize
158KB
MD507373d3d78d48c0f53b85ad58f24e5bb
SHA1a5b4973d41478b08002b7b5382e34c78ff10eb9c
SHA256e0261994d918a82b593978e14ab648dd584a2a2b90800ffc629cb7690882f46c
SHA512f29461e0fa9ef36aff0f1a3e9d1f8ae28209629c7281d4bd153d6766275eb2d0544c6c132da9029b47c64ca80c52b46281a78a5a9bc8cd11bcffe63f301c2fc9
-
Filesize
158KB
MD507373d3d78d48c0f53b85ad58f24e5bb
SHA1a5b4973d41478b08002b7b5382e34c78ff10eb9c
SHA256e0261994d918a82b593978e14ab648dd584a2a2b90800ffc629cb7690882f46c
SHA512f29461e0fa9ef36aff0f1a3e9d1f8ae28209629c7281d4bd153d6766275eb2d0544c6c132da9029b47c64ca80c52b46281a78a5a9bc8cd11bcffe63f301c2fc9
-
Filesize
48KB
MD5d923d4b8d2eba5847c92b8fdd3a0378f
SHA1e99c5b639918616d41e06f1274c6ec5b9706c706
SHA25673de6d8cd7795bed2fe4dd894a3febfc0083b7916b9bedc77a61fa1d23deee84
SHA5122fcc23f1fa829fada9e77814af8062a077871128eddc6233c8bf1673af1ee0475489d2c6b8585e1d4066f2acf0657e024ac7fa93659c0ca0fb68bf582ce068bf
-
Filesize
86KB
MD547af31afd8658aa7924283ce9f33ab0c
SHA1bffc90a3ad32d6b085972a1401563bdafc97cd14
SHA256041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95
SHA5124b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695
-
Filesize
86KB
MD547af31afd8658aa7924283ce9f33ab0c
SHA1bffc90a3ad32d6b085972a1401563bdafc97cd14
SHA256041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95
SHA5124b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695
-
Filesize
171KB
MD542d8ddd16cba2f8b650e6bf22d863314
SHA1739682da0289f88dc2f8b91f06afb647973febe6
SHA2565eca8093d677fc3c6c42e5b5d14e1f05164844bf5fcf5789ca60a6ad9d479e17
SHA5125ddb9dd75d921e07ee64d29bf8f3b6fb80550dded14731cbde7109151cb8abedd6049cdacdfe6dd2daaa30d5d6a0c11b4ce6caff0396b56f9a35390c54e32d75
-
Filesize
171KB
MD542d8ddd16cba2f8b650e6bf22d863314
SHA1739682da0289f88dc2f8b91f06afb647973febe6
SHA2565eca8093d677fc3c6c42e5b5d14e1f05164844bf5fcf5789ca60a6ad9d479e17
SHA5125ddb9dd75d921e07ee64d29bf8f3b6fb80550dded14731cbde7109151cb8abedd6049cdacdfe6dd2daaa30d5d6a0c11b4ce6caff0396b56f9a35390c54e32d75
-
Filesize
52B
MD57aa07f785cfc0913e892ce24cb5c8e94
SHA191d6ce52e1af94cd41d2dd0a6d3d455433c275cc
SHA256c10db1061105cddf2b206975d9f4f435622e40f86d56102755a5d7b149b0e2a8
SHA51286359083430e1c48a0f5b98934d38fcfd8df76b60b72d7bda5ac6a865a4276fdbdf8a65398b60e9bbff56b54098a2f59077a33037ed1145a4b0a2dba23b3eaaa
-
Filesize
1KB
MD5e4b07c4d8c2a30fd33975ca46684ce70
SHA1c31d3591f02a3ffa9f830a5de658f8963638573e
SHA256f1a9e5597d260ae2412ab0b58a68f696d50cbe64bc8b8c80cec843d18d5d6fdc
SHA512c2d088174d5fbd79d1736019bdd78109f9462b649da079a6a3c123f15f1c9b1d4c0660c9b703eba83cb474bd789b769f4270a2e9a714d68beac355ee2e45c9ac
-
Filesize
1KB
MD5903c3fde8f34ea51a43f4bd6ef8d1ca4
SHA13d1c08f85c9a0d21a3939736ec7a2d8e31e6e266
SHA25664e6320a38d34becae991604650ab485b92f3c7f5fdbd50e4abe2e2cfab47ee8
SHA512aa29b9acdb1f5b85ecc413f0caab022aa16568f81709f66cb9376ed3d7c679763e2d200ffb82547111f2c7fa557cd904a028b21d0a5bf5662614e748df859577
-
Filesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
Filesize
162B
MD55f382b9588ea4f91896c681fb07d0c4c
SHA184fd66ccc46556b7fb80a79a9c803a3fee54a929
SHA256d0b58b45574fc822e7551096a35e93c7ebae8219696dd165dfc3796119396944
SHA5125d2e845cfbe8ce2980ab4bfb528105a7198ee4134348437eb2d50d34f1e49dc3be7a94605c41d9c2956ac7cee61dc02b8088b2a277388c4f3171caf97dc8efac
-
Filesize
171KB
MD5373c8e014449a379b8b630882dc7e33b
SHA12eddbd53f2a4c8efe671162ee89ef469a1fc4813
SHA256d5da209decd9aa04b7340a187f97b303ec0085a35c388cde7c1ebfcf3c72d0d2
SHA512e8aef9df46e9d0b0eeccdd475a62dcea68ff3330387238d7d3f692483774d6059c7e3dbe0441b6c214e7b16562bf48332ca7c34fe08a29e798e0342703cdc3d8
-
Filesize
1KB
MD5868bd8c2d043aea8fc42de40a454ddf5
SHA13010c74068a905aa5fa3539b8c5ec3e022608dc8
SHA2563c03898e7ba201e7b9a9ca787ee4507b034f64f803e8b17198790281a08f5e82
SHA512201995705b4f679dfb7974246e92c7e4e5944ae71d5e4ea98864b0450ae9975922827e0a6e62c00cad2c1e878e4586671d2f335faf9a7b5089e6f1ae45a6ac06