Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
02/12/2022, 23:47
General
-
Target
bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
-
Size
622KB
-
MD5
c1cabb2e37a93e1b52741e4db2a42867
-
SHA1
e0323afd4cbf5a07b455c296e1864fe540b66a52
-
SHA256
bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7
-
SHA512
d64055c8c1876a33e9151c131638905c8e0a27fd80268022dc491dacbb86b95f0b8df41642a2703fa8151c0018836df2e18b439a65a6281caebee3e6f5bc253a
-
SSDEEP
12288:D5O2a583b9SeSuKqkOhF/kD+mne9yi35hRySuaKN3atO6XchbtFJJHvzLZyW0:DI3eL7SuxFkajoKRyVNKt7XGx7LZf0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 55 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe"C:\Users\Admin\AppData\Local\Temp\bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\systemok.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\hosok.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeReg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exeReg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s sy.reg4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Runs .reg file with regedit
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.7802.com/index1.html4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc532246f8,0x7ffc53224708,0x7ffc532247185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5660 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x1bc,0x1c4,0x228,0x204,0x22c,0x7ff7ee7e5460,0x7ff7ee7e5470,0x7ff7ee7e54806⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3652 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8829323258893988423,5636563865467203956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:85⤵
-
-
-
C:\Windows\SysWOW64\filmtvdy.exe.exefilmtvdy.exe.exe4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\╫└├µ\*.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S4⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58B
MD5ef482bb78b8fff6cf20ec2ff9a677a93
SHA17613c5c62b89e63dc686c0f4007c4a77a4a77335
SHA2567fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d
SHA512b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166
-
Filesize
750B
MD5b9f15477397d9f3ae25c17e4b2dd3cee
SHA16e3fd0d8bae6f821050f41bda9f8cb875085e311
SHA256b17d6cda34f2a70222343052d6191d38a93dc2341b84592c9051272ebb8da89d
SHA512bb4231db0aa11c48d51e709d565636c02f324c19d1a5fa88c62f3c700deb4bfff78f3a4c3d7351734476a2c9631157e9fee66cf573fc5e68cfacd7c154c44f94
-
Filesize
825B
MD52f64577dbeb2275e301096c25180a7b6
SHA1d703e4a8bb1e7a6a317640652686c385e99edc9d
SHA2569f254befa16579f526e7d1343a7c5818b9a428ba0bea31f669b5ed09159912da
SHA5122f203ba67016de5c5cc686a4f6d9f2ce6c2f8f3d0aa2427c9e890345f5497322a4c161a312a233be0a9a0c2e3880679be2d30498a760108eeb8050ccae95af40
-
Filesize
1KB
MD5fb9855d026204d0942d4f78aa62c6372
SHA1a2d1b75036866d486578a54383aa05102be677fe
SHA256fc0670a3787a9a07e3bbb08397ee5212ee26f58d9ebd4a34928861014e6b0c1f
SHA512ab4e9869c866f5e3b778c57f7331809fd0b6e78aa180e4d9229c67c813dfd1628e9dc02016a47dc56d4d99d3cb81f51bfbcbe191cb0f84acb14a8792c25597dc
-
Filesize
3KB
MD5149a41054f981207166cd66b3c641bbb
SHA1b0e4a78ca1c52b1eff082673a5f02e9c3d85670e
SHA25676c45084389de35324e588734b5728e7990dd059393a802a9287abeae193a874
SHA512e1f33651d19d41683d99bad4aeb653b20917aae2869670f9e24354840cb1ae6881204c2ce1ce3a36ba7a1afd125a8c2caf6d025a3e70c0d2e18dc497c86f66e7
-
Filesize
750B
MD5b9f15477397d9f3ae25c17e4b2dd3cee
SHA16e3fd0d8bae6f821050f41bda9f8cb875085e311
SHA256b17d6cda34f2a70222343052d6191d38a93dc2341b84592c9051272ebb8da89d
SHA512bb4231db0aa11c48d51e709d565636c02f324c19d1a5fa88c62f3c700deb4bfff78f3a4c3d7351734476a2c9631157e9fee66cf573fc5e68cfacd7c154c44f94
-
Filesize
825B
MD52f64577dbeb2275e301096c25180a7b6
SHA1d703e4a8bb1e7a6a317640652686c385e99edc9d
SHA2569f254befa16579f526e7d1343a7c5818b9a428ba0bea31f669b5ed09159912da
SHA5122f203ba67016de5c5cc686a4f6d9f2ce6c2f8f3d0aa2427c9e890345f5497322a4c161a312a233be0a9a0c2e3880679be2d30498a760108eeb8050ccae95af40
-
Filesize
1.1MB
MD561ff06afacdddff1693edb20bf75af9a
SHA11760aa47666f051c1688b0f973cfc578381e0a1d
SHA2561ab04818fa81b13c12ada62eb2dc9bb3e8d87b45a23109411d4e5e04b6b29324
SHA512a25df9cd9f48e7545ebb095702517aa1bfe8355c0fc25845d5c1e68e284fcc7b505979eedcb92cf318368327f12ddfb2fc2d408f7c68531dd9c0ab81033666d7
-
Filesize
1.1MB
MD561ff06afacdddff1693edb20bf75af9a
SHA11760aa47666f051c1688b0f973cfc578381e0a1d
SHA2561ab04818fa81b13c12ada62eb2dc9bb3e8d87b45a23109411d4e5e04b6b29324
SHA512a25df9cd9f48e7545ebb095702517aa1bfe8355c0fc25845d5c1e68e284fcc7b505979eedcb92cf318368327f12ddfb2fc2d408f7c68531dd9c0ab81033666d7
-
Filesize
136B
MD5fd42ca99744ac43b0b142086e086a10f
SHA1364cec2b17c4432c051cbe8a13e58fd601755d66
SHA2565a82dcac1ae4fafc2c80ac355cb806cbd5d41cab252e156d25d7304bec12fd79
SHA512e78de61feb7c46307e2485aba97665cb75b819f8958b17894ea4270090939534e2f3e1355dcfa975d642b62616c553735c134a8dd73d322237e06acaaef14827
-
Filesize
67B
MD5f03e7702a11c470021bcddc98a64b383
SHA1694e8b23752071e2892cf881b41627cb5db67517
SHA256cdcbdd321373c5897e3d8d14ba5604ae53c259f06de4f65cd6953339838a19f8
SHA512357be3b87ac7576fd2f7a72d3ee911104b8cfb6cf709ce11b8e02043b9e10349247731e7abeac3a9d10d20d31fe0632cb67cdca5fe6e1aa397b76436a5b886a2
-
Filesize
1KB
MD5fb9855d026204d0942d4f78aa62c6372
SHA1a2d1b75036866d486578a54383aa05102be677fe
SHA256fc0670a3787a9a07e3bbb08397ee5212ee26f58d9ebd4a34928861014e6b0c1f
SHA512ab4e9869c866f5e3b778c57f7331809fd0b6e78aa180e4d9229c67c813dfd1628e9dc02016a47dc56d4d99d3cb81f51bfbcbe191cb0f84acb14a8792c25597dc
-
Filesize
1KB
MD51994ec6880ae00688c6486af5ba1b795
SHA14708a94bb94548ce069281956fca9175fcee8b2b
SHA256598c410101300bf7c331e03e271f3640ec76a6e7bb1df656d0a562ea1225213a
SHA51271302662e3a0723563fd0b11eac536059c2e32b28d40484848beae000f46897d0f34e0f5214a44891d3bd50d2c5fdb836fe303a2f443742616f7fb6d37dec9d1