Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
211s -
max time network
265s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe
Resource
win10v2004-20221111-en
General
-
Target
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe
-
Size
2.7MB
-
MD5
1225acf9d74a4e4652eb0484d7d83420
-
SHA1
e4a9475e685b326c291dc712fa49190b78dd3bd4
-
SHA256
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5
-
SHA512
d8bc4757b7114aefdce5f52ece22aa95d77f2e8e757076e2b200a3e4cecbb145f2e180d4010546183fd53dc10de3796da51a6d5be8aeee1ca5d5126130719903
-
SSDEEP
24576:HafIiy4NwdLpQc9wibXbWejl9keHLXThLQs4G42zcr/FDp4G9Z:6ffy4NwrQ+waXxl9n/htP4ZrVOGf
Malware Config
Signatures
-
Detected phishing page
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "123" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.west.cn IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "123" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "20" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "186" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "186" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "186" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09B9FF30-748B-11ED-9B91-62E10F117DDC} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377002587" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "123" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09B9D820-748B-11ED-9B91-62E10F117DDC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 900 iexplore.exe 968 iexplore.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 900 iexplore.exe 968 iexplore.exe 900 iexplore.exe 968 iexplore.exe 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 976 wrote to memory of 900 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 28 PID 976 wrote to memory of 900 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 28 PID 976 wrote to memory of 900 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 28 PID 976 wrote to memory of 900 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 28 PID 976 wrote to memory of 968 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 29 PID 976 wrote to memory of 968 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 29 PID 976 wrote to memory of 968 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 29 PID 976 wrote to memory of 968 976 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 29 PID 900 wrote to memory of 1948 900 iexplore.exe 32 PID 900 wrote to memory of 1948 900 iexplore.exe 32 PID 900 wrote to memory of 1948 900 iexplore.exe 32 PID 900 wrote to memory of 1948 900 iexplore.exe 32 PID 968 wrote to memory of 1572 968 iexplore.exe 31 PID 968 wrote to memory of 1572 968 iexplore.exe 31 PID 968 wrote to memory of 1572 968 iexplore.exe 31 PID 968 wrote to memory of 1572 968 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe"C:\Users\Admin\AppData\Local\Temp\f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?qqchang2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize1KB
MD5c7c90d7e57408cbd8d05e86a29e3e3c3
SHA1494c48fae580e5408d533a2deffa7463c3b50d07
SHA256906ff54dc7b8250eafe5d01b3b2b4bf0af7483799e6a4da5df8036a94c95781d
SHA5123cff5510f50c8431d19a28e29107aa843bceaa9847b8b4f412b409f512c4760c2758b6216859798af831776d1f353eaea478e04e097324115c0961a54fbed474
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a672aaf37f59e18e935908bf65aed31
SHA1e673c2c61233f2ebb84b0ac808c102e14ff249b1
SHA25633465a72b18e9a1a9e2252677d828504462d83568d574c66538673a52a769eb5
SHA512c6f99c450b0a69b9c9b6003b435d01dc306b31fcdae26397d8f1a3d996890126167ec24adc1f39174585a29c1f8c1f9cdd565debd3073736d8759a74015b513e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
Filesize492B
MD516e8448c62d6d08e0a9edfc0e672dba7
SHA1c93b72f762b408b0fff6918c82c2c88ecb809403
SHA256f0451fb735ec60afcb11c29094d8b4cdb80a1838abe14905d9856b13c2498bd8
SHA512cd8da4f876a52007102023d83ae03c8a7a76a4e19cc7ffc68da089c127df1b8c4d1ae58da5ff924c6bf5df00325bed9cd69f4aa6e56e168dc2071e91b227b542
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09B9D820-748B-11ED-9B91-62E10F117DDC}.dat
Filesize4KB
MD530986b82cba009c3bdf36b78dddc6b83
SHA1dabd0ee1254d672ea6bb5861045f38ae2314b3ee
SHA256efa040a35ccdb4b844cd4225f55772b29fc479fa1a9570a8e0c5cd817a25da48
SHA512396538f77e65a97acd3a68dd9617c344435342203fac5642feaeadf36b6bb3f06b1ee6c25a4079e2cea7ac194c4039c27ccff2883d26b22f71bd2e5239a1a7f1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09B9FF30-748B-11ED-9B91-62E10F117DDC}.dat
Filesize5KB
MD59841fc782977ae92ff0a7a9fc6923c67
SHA1f84dae56fac64274cc05eb7e495684613a3bfabb
SHA256dc3189f5d2f874f2294e670e784220b972325116728de6a7ea77b3b9165e0477
SHA512a6b96d4bc644066627f0fe94c33c73a5cf924df47245e1fc89d85a21ab0ce9be4ee0b78d83713ed97b9c7cc425d149e2f22ece43a426f10d20ce0e8a6cd89a90
-
Filesize
601B
MD58b869222dd24ca25e8876c2109970083
SHA14e9e5baa87f5eb636d75983abeecf5b18bd434fe
SHA2566c130c00d6bc72c198fc475bf2ed6b5c2cd4538657ed65ae175b7041a90f680c
SHA512fca63b1a744e6661385158878b3a82d9f426692f5089058ff4540734d7b6d322977465c4ae4ef5579ee88cda056d5781ce0549077e7633a8437ef013e1332101