Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    155s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 18:31

General

  • Target

    d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe

  • Size

    848KB

  • MD5

    f9c7e26ef27c5ee51e323bf44fbb55da

  • SHA1

    38893810448f1383dd44350c4c90d7fc72249680

  • SHA256

    d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739

  • SHA512

    763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854

  • SSDEEP

    1536:7Eo6GzI9cono/es2KyvLh423iZB7LbGnkBwUDXLY+cnCd4SztNXjU8UdatVgc1h:g8ciono/e95vLh4j2Umns4khjU0jZ

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe
    "C:\Users\Admin\AppData\Local\Temp\d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Users\Admin\E696D64614\winlogon.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:5076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

    Filesize

    2KB

    MD5

    97acf0930ce9f2f69d40ed8e1178cec6

    SHA1

    6380a2d97e4b4ccc3b4598cc2d431702e54ed69c

    SHA256

    b38f02de41dbb7db433a5f440dff85432150ff71d53b7ef8792d96da80962343

    SHA512

    f49c8a4fa51127e7d8b71cd0257bbedc8855ea708ec0e313e5071b656aedb815b55e51619df24ed967c4df0e685a4940cc1f123aa4ee0198a3d1ada1b42480e1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2119239CBE0D3DBEF6F19E0B10265873

    Filesize

    472B

    MD5

    f1dacaaa678dfa6d22420a8b46047d44

    SHA1

    8b80f47f01cc0714a47ff3d734b6bce89756ec26

    SHA256

    6533e522fdc5ac5af0079b6c4599cee64810a54671c9e4c49f8a79597b57926e

    SHA512

    34682d276393fe8c92c96fd8d0e61fd05aced08f6a10278da01fb1294177a8021021ad9c409e56381976f80ba99922c6aacde19084df2fcfff29fbd28108a1f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

    Filesize

    488B

    MD5

    546c997f0108e1b31bc226984116d980

    SHA1

    9bfc6dbe24652dc34011ccf8f1846ff567278b33

    SHA256

    99f303b169ba7418cdac43e29fa938b17b2082ed2c96c680f5eb299cd41edda0

    SHA512

    2e2e5e28542492f3a659b79dcbb571ac73599451796ab46266685a46c441eb7189e9ca59a695b886206dd7902fec1ae440c2bbb4fade63f26be4e90a44355661

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2119239CBE0D3DBEF6F19E0B10265873

    Filesize

    476B

    MD5

    4d668ed15bc3269e8d167e7c189578a5

    SHA1

    4051d0b57b6d0c18fc6bd2ed8f2d69120a1b8e06

    SHA256

    e2c8476791a382b5849ef02f2942a7ed2873c12b6e7d8de227131cc7b4a10c6b

    SHA512

    a61acf165922b4f36d48b4a6ebe11340d4010de71fd1e006e42ece498cf8b24949115985eacc3065866b0620c7eff062b98a28b263e4903729c9261758e3d764

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    848KB

    MD5

    f9c7e26ef27c5ee51e323bf44fbb55da

    SHA1

    38893810448f1383dd44350c4c90d7fc72249680

    SHA256

    d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739

    SHA512

    763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    848KB

    MD5

    f9c7e26ef27c5ee51e323bf44fbb55da

    SHA1

    38893810448f1383dd44350c4c90d7fc72249680

    SHA256

    d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739

    SHA512

    763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    848KB

    MD5

    f9c7e26ef27c5ee51e323bf44fbb55da

    SHA1

    38893810448f1383dd44350c4c90d7fc72249680

    SHA256

    d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739

    SHA512

    763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    848KB

    MD5

    f9c7e26ef27c5ee51e323bf44fbb55da

    SHA1

    38893810448f1383dd44350c4c90d7fc72249680

    SHA256

    d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739

    SHA512

    763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854

  • memory/1028-152-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1028-153-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1964-139-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1964-133-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1964-143-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1964-135-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1964-136-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/5076-155-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/5076-159-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/5076-158-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/5076-166-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB