Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
234s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe
Resource
win10v2004-20221111-en
General
-
Target
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe
-
Size
2.7MB
-
MD5
1225acf9d74a4e4652eb0484d7d83420
-
SHA1
e4a9475e685b326c291dc712fa49190b78dd3bd4
-
SHA256
f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5
-
SHA512
d8bc4757b7114aefdce5f52ece22aa95d77f2e8e757076e2b200a3e4cecbb145f2e180d4010546183fd53dc10de3796da51a6d5be8aeee1ca5d5126130719903
-
SSDEEP
24576:HafIiy4NwdLpQc9wibXbWejl9keHLXThLQs4G42zcr/FDp4G9Z:6ffy4NwrQ+waXxl9n/htP4ZrVOGf
Malware Config
Signatures
-
Detected phishing page
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CFE593EF-748A-11ED-919F-DAD30C974647} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CFE5BAFF-748A-11ED-919F-DAD30C974647} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119255" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "265" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "119300" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "186" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "119089" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119486" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\west.cn\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "245" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "186" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119089" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119123" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "123" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "246" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.west.cn IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "137" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "60" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2861648431" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119300" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "245" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "123" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119069" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "193" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2861648431" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "186" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliyun.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "14" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119275" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "14" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000727" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119417" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "60" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2971648308" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000727" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119545" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "119123" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 220 iexplore.exe 116 iexplore.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 220 iexplore.exe 220 iexplore.exe 116 iexplore.exe 116 iexplore.exe 3760 IEXPLORE.EXE 3760 IEXPLORE.EXE 3756 IEXPLORE.EXE 3756 IEXPLORE.EXE 3756 IEXPLORE.EXE 3756 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3180 wrote to memory of 220 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 83 PID 3180 wrote to memory of 220 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 83 PID 3180 wrote to memory of 116 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 84 PID 3180 wrote to memory of 116 3180 f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe 84 PID 116 wrote to memory of 3756 116 iexplore.exe 85 PID 220 wrote to memory of 3760 220 iexplore.exe 86 PID 116 wrote to memory of 3756 116 iexplore.exe 85 PID 116 wrote to memory of 3756 116 iexplore.exe 85 PID 220 wrote to memory of 3760 220 iexplore.exe 86 PID 220 wrote to memory of 3760 220 iexplore.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe"C:\Users\Admin\AppData\Local\Temp\f939375fd2b44e64fed69e39edcbe9ce6d86eee7e217988564b54d6680a56af5.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3760
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?qqchang2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:116 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54fdbf2a017275068edb32ae5fae40486
SHA118e582515bf745300816dc8d4ca8156684a086e7
SHA25605672ea05a2043c0b41dc8b81828d9987c683f90d5f2387f1f66cf352b7da937
SHA51229cf468c20e6be691f6924f04cefa0468e5809319845a3cc3f433d20b27a99fc4e22b05fd73d876304bf456c4d5d5730fe110292ee13c4e29e8248fe15f30fe0
-
Filesize
1KB
MD51519171ba0e9b6aabdd22495c93b43f8
SHA1da916b57522c4c4cbac2aedc3354bc6c69a56270
SHA256dfb271a64ffabd0110e6c943e6052fca6dcb7cc738c9cc4c03ce3732361fa318
SHA5127392b921cdb6419c616d744e9556b09d38a2e0956cf0ee0687aba4b4ff75ad7692440afa6d99daeea67f0c07197b466990d6d2c6e4d3567cd8f15b0750dcff2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26FAECAB15AD715CB7849E2211F9473B
Filesize230B
MD5d30978bc7a2ebbdf400ce0be0eaecf39
SHA1ea3ee7fc6951ba6ad2e615434cc44afbd2841125
SHA2566a79d02fcd0bf222f6ecbca252e245a611f4875763418e3dee0799fbb77e52e9
SHA512a2eea47568600b84ab67080a80d313d91218f774be89d43807cfdb91adec7b05e810195a748036d9e7c1d1e5682cb22287c3b95ece8f0bb9ab97d00e474d078a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67
Filesize186B
MD51f8e6c26d69fd220ae3ab6b13372ba5c
SHA1f80ea8735b75cf6c77ad8d23387441e341421ad5
SHA2560d6499088b46a90a79e9ac23669e6624d7bd09b08c5c61f482b0c734daa88e9e
SHA51261b2e405ba840422d821ef487f05742d5c422d83fef7af4fa16bd175e6f1bf416ef480e2493e5ac07d3280886eb598791b78bfe1802e5a41a4802c43ff49f367
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFE593EF-748A-11ED-919F-DAD30C974647}.dat
Filesize5KB
MD513124da690049eac7da7b73ac93a1a8b
SHA1f810e77d5eaef4984351062bed79ba59dbd2cff8
SHA256b1c7131c91f9715fa54c6418a70afd3bf2f45a378674de8f7d965bd556336dee
SHA512bdbdb11954a073452f9de09a7389fa1188fc03065dd889cd11936a2e59fbb9423d9c105ccabf1624d841f35deb496b0e91c5d1181855cafdae201873ce14e0a4
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFE5BAFF-748A-11ED-919F-DAD30C974647}.dat
Filesize5KB
MD5e02ba6d79aeb8ca0913afb2f9ce33e7e
SHA10bb31621167ce3476ae79390668cbe52607201c3
SHA256ee90094c7c3194e06d319843dbec69393ea8d18e70cb564a39b037cd2416d25d
SHA51229ca913afa428e126bb338cc1eae81aa17b65ac8da7ead8ad2903ba6fcc1ca998a5a6f801cf07b6e1673419492d047f2164ce68e7479f5d0ab48b633d2c26d13