Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
189s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
03/12/2022, 03:53 UTC
General
-
Target
d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
-
Size
492KB
-
MD5
6c5a68c3aba0ddcedd8c5b2cd13b65d0
-
SHA1
6dd1839a937b966096ffc7202810bd02d49aec55
-
SHA256
d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07
-
SHA512
8c10f16cb360a9a0383b5b5928451e9a04d2aa3d874263e8f1fc2cb2c469e14cf96da2aa4bd31de732162425b162c05e1c348bec59ea01e8fe94fb455c9cce73
-
SSDEEP
12288:NWuYKH78FYmqyg31CVUK2IKhujlY8y0aeqsNYQU6VBaa8AYcwHVVFV:vQqs2qFyBai
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe"C:\Users\Admin\AppData\Local\Temp\d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\servercik.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\servercik.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\servercik.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\servercik.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
Network
-
DNSdelikralll.dyndns.orgRemote address:8.8.8.8:53Requestdelikralll.dyndns.orgIN AResponse -
DNSdelikralll.dyndns.orgRemote address:8.8.8.8:53Requestdelikralll.dyndns.orgIN AResponse
-
DNS1delikralll.dyndns.orgRemote address:8.8.8.8:53Request1delikralll.dyndns.orgIN AResponse
-
DNS14.110.152.52.in-addr.arpaRemote address:8.8.8.8:53Request14.110.152.52.in-addr.arpaIN PTRResponse
-
DNS2delikralll.dyndns.orgRemote address:8.8.8.8:53Request2delikralll.dyndns.orgIN AResponse
-
DNS0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpaRemote address:8.8.8.8:53Request0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
DNS3delikralll.dyndns.orgRemote address:8.8.8.8:53Request3delikralll.dyndns.orgIN AResponse
-
DNS4delikralll.dyndns.orgRemote address:8.8.8.8:53Request4delikralll.dyndns.orgIN AResponse
-
DNS5delikralll.dyndns.orgRemote address:8.8.8.8:53Request5delikralll.dyndns.orgIN AResponse
-
DNS6delikralll.dyndns.orgRemote address:8.8.8.8:53Request6delikralll.dyndns.orgIN AResponse
-
DNS7delikralll.dyndns.orgRemote address:8.8.8.8:53Request7delikralll.dyndns.orgIN AResponse
-
DNS8delikralll.dyndns.orgRemote address:8.8.8.8:53Request8delikralll.dyndns.orgIN AResponse
-
8.238.21.126:80
-
209.197.3.8:80
-
104.80.225.205:443
-
40.79.189.58:443
-
209.197.3.8:80
-
209.197.3.8:80
-
8.238.21.126:80
-
67.24.35.254:80
-
8.8.8.8:53delikralll.dyndns.orgdns
DNS Request
delikralll.dyndns.org
-
8.8.8.8:53delikralll.dyndns.orgdns
DNS Request
delikralll.dyndns.org
-
8.8.8.8:531delikralll.dyndns.orgdns
DNS Request
1delikralll.dyndns.org
-
8.8.8.8:5314.110.152.52.in-addr.arpadns
DNS Request
14.110.152.52.in-addr.arpa
-
8.8.8.8:532delikralll.dyndns.orgdns
DNS Request
2delikralll.dyndns.org
-
8.8.8.8:530.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpadns
DNS Request
0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
-
8.8.8.8:533delikralll.dyndns.orgdns
DNS Request
3delikralll.dyndns.org
-
8.8.8.8:534delikralll.dyndns.orgdns
DNS Request
4delikralll.dyndns.org
-
8.8.8.8:535delikralll.dyndns.orgdns
DNS Request
5delikralll.dyndns.org
-
8.8.8.8:536delikralll.dyndns.orgdns
DNS Request
6delikralll.dyndns.org
-
8.8.8.8:537delikralll.dyndns.orgdns
DNS Request
7delikralll.dyndns.org
-
8.8.8.8:538delikralll.dyndns.orgdns
DNS Request
8delikralll.dyndns.org
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5d2b4adb2ea666230b62b91ab2ff015ce
SHA18815248fbd6a70505346e9ffd2fe8a6a63435995
SHA256ca3f4d3e23acf9fa7689768c28a41286789994b44e79d8e80d295ca21728b7bc
SHA5126789542a892c3ab1c6d322c1a6f0913206aa81c5966776c3d785ef7a3150a2e4ac4b4f44258704a2052dffe4000c97f26f973509bde8308369ca4cd3c85c1677
-
Filesize
175KB
MD5d2b4adb2ea666230b62b91ab2ff015ce
SHA18815248fbd6a70505346e9ffd2fe8a6a63435995
SHA256ca3f4d3e23acf9fa7689768c28a41286789994b44e79d8e80d295ca21728b7bc
SHA5126789542a892c3ab1c6d322c1a6f0913206aa81c5966776c3d785ef7a3150a2e4ac4b4f44258704a2052dffe4000c97f26f973509bde8308369ca4cd3c85c1677
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
492KB
-
Filesize
492KB