Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

c420063487...d6.exe

windows7-x64

8

c420063487...d6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe

  • Size

    733KB

  • MD5

    8d785f76e225f71d7344a72ee1c7843d

  • SHA1

    bcb8fb534ed3381140e9ecb9ee399890c6532ac2

  • SHA256

    c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6

  • SHA512

    c917f0a543ae8c640ad483fb709357fcf81b1f5a5a5d03fc49f502d41773ab52fbba6552db3ba88cf315b9918fd8caa1c6e419c26817923fdb6930f8b92af20d

  • SSDEEP

    12288:D5OG17KmKCKHamcQ+HLwUVKQNC20O2baimSH50zkUALaUzWzu5SY/7+kPrMZ7u:DIG1BKCKHqQmLVKQNCBO2P50oIPY/C6h

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 59 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe
    "C:\Users\Admin\AppData\Local\Temp\c420063487050c49f8adc8738d22cbecf369d5d91a8c4aa0a3d12d619d4c77d6.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\systemok.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\WINDOWS\system32\hosok.bat" "
        3⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\reg.exe
          Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
          4⤵
            PID:1288
          • C:\Windows\SysWOW64\reg.exe
            Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
            4⤵
              PID:944
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
              4⤵
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:984
              • C:\Windows\SysWOW64\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                5⤵
                • Checks processor information in registry
                • Suspicious use of WriteProcessMemory
                PID:584
                • C:\Windows\SysWOW64\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  6⤵
                    PID:520
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Windows\system32\createcs.vbs"
                4⤵
                  PID:1528
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s sy.reg
                  4⤵
                  • Modifies Internet Explorer settings
                  • Modifies Internet Explorer start page
                  • Runs .reg file with regedit
                  PID:1324
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.vvyy.net/?v2
                  4⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:512
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:512 CREDAT:275457 /prefetch:2
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:892
                • C:\Windows\SysWOW64\filmtvdy.exe.exe
                  filmtvdy.exe.exe
                  4⤵
                  • Executes dropped EXE
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:2032
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Users\Admin\╫└├µ\*.lnk" +R +S
                  4⤵
                  • Views/modifies file attributes
                  PID:816
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S
                  4⤵
                  • Views/modifies file attributes
                  PID:916

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\TmpInf.inf
            Filesize

            58B

            MD5

            ef482bb78b8fff6cf20ec2ff9a677a93

            SHA1

            7613c5c62b89e63dc686c0f4007c4a77a4a77335

            SHA256

            7fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d

            SHA512

            b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            340B

            MD5

            a702797d4d28437ec645efcf2de31df9

            SHA1

            0a6a3fcb80ebf9c1bdc31b38df244b62f2d88ddb

            SHA256

            a912d9002b06460bfc0f420547d82ba030f4ec379b91c49e77a9babf92f83ea7

            SHA512

            6a12e991375a06bbc491b220b73fb0c2be00db6f438b1876884dd429cf31f6239e023ae3ca58c29d5093c91a937af310bfd14192eacab853bde638fc5fe5c1b4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VELDS2N0.txt
            Filesize

            603B

            MD5

            b543183a68a0fbfef5be2ec0622dff03

            SHA1

            7688b2198fff840f92fa82c35dd992f986098b70

            SHA256

            c14c5651ca48c3f319dcea92e168061536958b7e99d7f4d9c63c6abf0c315b41

            SHA512

            7c6839c094cbf7221d47b00ab18fe879225c8d06cd68c43e0e995b961323cb5ae79587330df9e60f8632956287023b83871f7f746ba5e5dc25c7adcb123d731e

            Download Submit

          • C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╝½╦┘═°┬τ╡τ╩╙.lnk
            Filesize

            750B

            MD5

            b9f15477397d9f3ae25c17e4b2dd3cee

            SHA1

            6e3fd0d8bae6f821050f41bda9f8cb875085e311

            SHA256

            b17d6cda34f2a70222343052d6191d38a93dc2341b84592c9051272ebb8da89d

            SHA512

            bb4231db0aa11c48d51e709d565636c02f324c19d1a5fa88c62f3c700deb4bfff78f3a4c3d7351734476a2c9631157e9fee66cf573fc5e68cfacd7c154c44f94

            Download Submit

          • C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorrer Σ»└└╞≈.lnk
            Filesize

            793B

            MD5

            b9b3f37909df0306280446af2ae0295e

            SHA1

            31893a8359176fc271ce7cfd1c697bbcc17de2c5

            SHA256

            018e9ad135e3ac0ec7257a87a70eb912a6b042bcc53245b43448783a655f5876

            SHA512

            46455b232759fd64edf2a6553d86242da8d6329ee7140ce40b27fbf50c9a1bbd459f36098a92ef36bcc5911c5c068cddef00f9b27c50d89fb27169bd70a7b5a3

            Download Submit

          • C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk
            Filesize

            1KB

            MD5

            c323e59b3ee8e4df72521695e237fd5a

            SHA1

            9ab2591e5e89dea89dc7c0ebd369cba10edfc881

            SHA256

            e69e08efa66dd6b9c2f2b38798309e46a08441daf6d774f03f4af2c75f90ce9f

            SHA512

            2fdd32eccde68504d814dea85ee44f82cb7d52d912936664bd787931fbca3f03a05c54e9fe91e9c6c07743b3144dcf7b1865f5b21986a231c1da043af47c9784

            Download Submit

          • C:\WINDOWS\SysWOW64\hosok.bat
            Filesize

            3KB

            MD5

            d66655961b12484eff9fbfb44f24376e

            SHA1

            7babd1d68980c4ed67cfe5a57710b44191beefae

            SHA256

            7709c6e9f9b561d77a638e3c7eddd28c78c214e0afaea0e140d747ec62b14bb9

            SHA512

            5dfd4c638f6f3431e934c1f463cd9dbc176c7282975b334e02be667524b63044f92e186e3267195e6e2b245f18ed150b1239142d3519c7441f74c7b29c7cc96e

            Download Submit

          • C:\Windows\SysWOW64\FilmTVkk.lnk
            Filesize

            750B

            MD5

            b9f15477397d9f3ae25c17e4b2dd3cee

            SHA1

            6e3fd0d8bae6f821050f41bda9f8cb875085e311

            SHA256

            b17d6cda34f2a70222343052d6191d38a93dc2341b84592c9051272ebb8da89d

            SHA512

            bb4231db0aa11c48d51e709d565636c02f324c19d1a5fa88c62f3c700deb4bfff78f3a4c3d7351734476a2c9631157e9fee66cf573fc5e68cfacd7c154c44f94

            Download Submit

          • C:\Windows\SysWOW64\Internet Explorer.lnk
            Filesize

            793B

            MD5

            b9b3f37909df0306280446af2ae0295e

            SHA1

            31893a8359176fc271ce7cfd1c697bbcc17de2c5

            SHA256

            018e9ad135e3ac0ec7257a87a70eb912a6b042bcc53245b43448783a655f5876

            SHA512

            46455b232759fd64edf2a6553d86242da8d6329ee7140ce40b27fbf50c9a1bbd459f36098a92ef36bcc5911c5c068cddef00f9b27c50d89fb27169bd70a7b5a3

            Download Submit

          • C:\Windows\SysWOW64\Internet Exporer.lnk
            Filesize

            793B

            MD5

            b9b3f37909df0306280446af2ae0295e

            SHA1

            31893a8359176fc271ce7cfd1c697bbcc17de2c5

            SHA256

            018e9ad135e3ac0ec7257a87a70eb912a6b042bcc53245b43448783a655f5876

            SHA512

            46455b232759fd64edf2a6553d86242da8d6329ee7140ce40b27fbf50c9a1bbd459f36098a92ef36bcc5911c5c068cddef00f9b27c50d89fb27169bd70a7b5a3

            Download Submit

          • C:\Windows\SysWOW64\createcs.vbs
            Filesize

            468B

            MD5

            33bbb14d4da349dbc6b31ea38b41ff52

            SHA1

            301fc96ff9d7b44a853c84435278027eeac44209

            SHA256

            ac3c2df4f0254f3df34bfd773af30d55220f1e82d937ad1a60d6d7301b1cbe95

            SHA512

            3c054e2ab74493667452909590b60237346a1526227cba2390d8d61477c5d1077c832b41f8a217b791598f6361604322874f6ada26a45beece11b26e5282fa69

            Download Submit

          • C:\Windows\SysWOW64\filmtvdy.exe.exe
            Filesize

            1.3MB

            MD5

            4ec2c2cfeef1af870a02e8aa00fc3363

            SHA1

            b2262ee0e7d5daa11b017b26c10ae118efb7c6f2

            SHA256

            5851378994d31c78eff09b3f22af8959d4c660f5fb7da33dc4b9d83b04056cb7

            SHA512

            1a6438436822616bc58d2a34a0b406e6f42a09d9defce14f3e06d35e6035347dc4e9213926cdc72571fa536debe950f69272db87d51e8fb1347e395b0fb14bec

            Download Submit

          • C:\Windows\SysWOW64\filmtvdy.exe.exe
            Filesize

            1.3MB

            MD5

            4ec2c2cfeef1af870a02e8aa00fc3363

            SHA1

            b2262ee0e7d5daa11b017b26c10ae118efb7c6f2

            SHA256

            5851378994d31c78eff09b3f22af8959d4c660f5fb7da33dc4b9d83b04056cb7

            SHA512

            1a6438436822616bc58d2a34a0b406e6f42a09d9defce14f3e06d35e6035347dc4e9213926cdc72571fa536debe950f69272db87d51e8fb1347e395b0fb14bec

            Download Submit

          • C:\Windows\SysWOW64\sy.reg
            Filesize

            136B

            MD5

            27aab962f791e0e80d20c2051b9a03ba

            SHA1

            8f64172827ad5da7b76b2f29503dad89849904c8

            SHA256

            a26b4beb8ec1587564d9682b0ee02e5292c030760c1de3003a092dc13c8e2a8d

            SHA512

            fe18f2ab6ed4d9acbfcd5debc5b92e4928e3b901deb4c262a31d40bae7b846959461844baca7bcbfb0246bc7a70f03c73fe0f9846c7030061262bfc1385d7d1a

            Download Submit

          • C:\Windows\SysWOW64\systemok.vbs
            Filesize

            67B

            MD5

            f03e7702a11c470021bcddc98a64b383

            SHA1

            694e8b23752071e2892cf881b41627cb5db67517

            SHA256

            cdcbdd321373c5897e3d8d14ba5604ae53c259f06de4f65cd6953339838a19f8

            SHA512

            357be3b87ac7576fd2f7a72d3ee911104b8cfb6cf709ce11b8e02043b9e10349247731e7abeac3a9d10d20d31fe0632cb67cdca5fe6e1aa397b76436a5b886a2

            Download Submit

          • C:\Windows\SysWOW64\taobao.lnk
            Filesize

            1KB

            MD5

            b1f1a9b43438c78d39e1dcb3968a029e

            SHA1

            9601901ef6f97b1d67aaa797626428c1a9811763

            SHA256

            64181c2268f0c8b90c4035824c6e71fbe4ff42ada68f2ce5d46511e5e612ab1a

            SHA512

            d4a4bd29901a0df073386c021486d472d9dd8648216d069d9f567a586c63fa59e824e96ddb179f08e4b44faa97711f9b3b3978591df58cdb66d598d248cab664

            Download Submit

          • C:\Windows\SysWOW64\yx.lnk
            Filesize

            1KB

            MD5

            c323e59b3ee8e4df72521695e237fd5a

            SHA1

            9ab2591e5e89dea89dc7c0ebd369cba10edfc881

            SHA256

            e69e08efa66dd6b9c2f2b38798309e46a08441daf6d774f03f4af2c75f90ce9f

            SHA512

            2fdd32eccde68504d814dea85ee44f82cb7d52d912936664bd787931fbca3f03a05c54e9fe91e9c6c07743b3144dcf7b1865f5b21986a231c1da043af47c9784

            Download Submit

          • \Windows\SysWOW64\filmtvdy.exe.exe
            Filesize

            1.3MB

            MD5

            4ec2c2cfeef1af870a02e8aa00fc3363

            SHA1

            b2262ee0e7d5daa11b017b26c10ae118efb7c6f2

            SHA256

            5851378994d31c78eff09b3f22af8959d4c660f5fb7da33dc4b9d83b04056cb7

            SHA512

            1a6438436822616bc58d2a34a0b406e6f42a09d9defce14f3e06d35e6035347dc4e9213926cdc72571fa536debe950f69272db87d51e8fb1347e395b0fb14bec

            Download Submit

          • \Windows\SysWOW64\filmtvdy.exe.exe
            Filesize

            1.3MB

            MD5

            4ec2c2cfeef1af870a02e8aa00fc3363

            SHA1

            b2262ee0e7d5daa11b017b26c10ae118efb7c6f2

            SHA256

            5851378994d31c78eff09b3f22af8959d4c660f5fb7da33dc4b9d83b04056cb7

            SHA512

            1a6438436822616bc58d2a34a0b406e6f42a09d9defce14f3e06d35e6035347dc4e9213926cdc72571fa536debe950f69272db87d51e8fb1347e395b0fb14bec

            Download Submit

          • memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmp

            Filesize

            8KB

            Download