Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
191s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe
Resource
win7-20221111-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe
-
Size
2.6MB
-
MD5
f3afc3d7fdb86f8ad5f56b93e993a8f8
-
SHA1
de7fd67b7e0c91ffbaea59b95a5a5a29911320a6
-
SHA256
a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5
-
SHA512
a344a02d1d9cbb662d432919d7c5744875eca1c32afbab36d514f47d3ba1a39f9db548f0cb76a62a9082898ee0bd1126f85f45a88d9f8611e38f32f44eaa792d
-
SSDEEP
24576:xB84vadsL8ec1gda1CXcBzlS69DL2kRdDHiS+HC:7vezwc9tLZ
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\javacpl.exe = "C:\\Users\\Admin\\AppData\\Roaming\\javacpl.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\javacpl.exe = "C:\\Users\\Admin\\AppData\\Roaming\\javacpl.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2236 javacpl.exe 1776 javacpl.exe 1992 javacpl.exe -
resource yara_rule behavioral2/memory/3728-135-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3728-137-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3728-138-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3728-141-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1992-157-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1992-161-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1992-163-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1776-167-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1992-168-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1776-169-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1992-170-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/3728-171-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javacpl = "C:\\Users\\Admin\\AppData\\Roaming\\javacpl.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2364 set thread context of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2236 set thread context of 1776 2236 javacpl.exe 90 PID 2236 set thread context of 1992 2236 javacpl.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 2564 reg.exe 4048 reg.exe 3384 reg.exe 408 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: 1 1992 javacpl.exe Token: SeCreateTokenPrivilege 1992 javacpl.exe Token: SeAssignPrimaryTokenPrivilege 1992 javacpl.exe Token: SeLockMemoryPrivilege 1992 javacpl.exe Token: SeIncreaseQuotaPrivilege 1992 javacpl.exe Token: SeMachineAccountPrivilege 1992 javacpl.exe Token: SeTcbPrivilege 1992 javacpl.exe Token: SeSecurityPrivilege 1992 javacpl.exe Token: SeTakeOwnershipPrivilege 1992 javacpl.exe Token: SeLoadDriverPrivilege 1992 javacpl.exe Token: SeSystemProfilePrivilege 1992 javacpl.exe Token: SeSystemtimePrivilege 1992 javacpl.exe Token: SeProfSingleProcessPrivilege 1992 javacpl.exe Token: SeIncBasePriorityPrivilege 1992 javacpl.exe Token: SeCreatePagefilePrivilege 1992 javacpl.exe Token: SeCreatePermanentPrivilege 1992 javacpl.exe Token: SeBackupPrivilege 1992 javacpl.exe Token: SeRestorePrivilege 1992 javacpl.exe Token: SeShutdownPrivilege 1992 javacpl.exe Token: SeDebugPrivilege 1992 javacpl.exe Token: SeAuditPrivilege 1992 javacpl.exe Token: SeSystemEnvironmentPrivilege 1992 javacpl.exe Token: SeChangeNotifyPrivilege 1992 javacpl.exe Token: SeRemoteShutdownPrivilege 1992 javacpl.exe Token: SeUndockPrivilege 1992 javacpl.exe Token: SeSyncAgentPrivilege 1992 javacpl.exe Token: SeEnableDelegationPrivilege 1992 javacpl.exe Token: SeManageVolumePrivilege 1992 javacpl.exe Token: SeImpersonatePrivilege 1992 javacpl.exe Token: SeCreateGlobalPrivilege 1992 javacpl.exe Token: 31 1992 javacpl.exe Token: 32 1992 javacpl.exe Token: 33 1992 javacpl.exe Token: 34 1992 javacpl.exe Token: 35 1992 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe Token: SeDebugPrivilege 1776 javacpl.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 2236 javacpl.exe 1776 javacpl.exe 1992 javacpl.exe 1992 javacpl.exe 1992 javacpl.exe 1992 javacpl.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 2364 wrote to memory of 3728 2364 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 82 PID 3728 wrote to memory of 2520 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 84 PID 3728 wrote to memory of 2520 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 84 PID 3728 wrote to memory of 2520 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 84 PID 2520 wrote to memory of 2580 2520 cmd.exe 87 PID 2520 wrote to memory of 2580 2520 cmd.exe 87 PID 2520 wrote to memory of 2580 2520 cmd.exe 87 PID 3728 wrote to memory of 2236 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 89 PID 3728 wrote to memory of 2236 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 89 PID 3728 wrote to memory of 2236 3728 a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe 89 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1776 2236 javacpl.exe 90 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 2236 wrote to memory of 1992 2236 javacpl.exe 91 PID 1992 wrote to memory of 3720 1992 javacpl.exe 92 PID 1992 wrote to memory of 3720 1992 javacpl.exe 92 PID 1992 wrote to memory of 3720 1992 javacpl.exe 92 PID 1992 wrote to memory of 4408 1992 javacpl.exe 93 PID 1992 wrote to memory of 4408 1992 javacpl.exe 93 PID 1992 wrote to memory of 4408 1992 javacpl.exe 93 PID 1992 wrote to memory of 4652 1992 javacpl.exe 94 PID 1992 wrote to memory of 4652 1992 javacpl.exe 94 PID 1992 wrote to memory of 4652 1992 javacpl.exe 94 PID 1992 wrote to memory of 3596 1992 javacpl.exe 95 PID 1992 wrote to memory of 3596 1992 javacpl.exe 95 PID 1992 wrote to memory of 3596 1992 javacpl.exe 95 PID 4652 wrote to memory of 2564 4652 cmd.exe 101 PID 4652 wrote to memory of 2564 4652 cmd.exe 101 PID 4652 wrote to memory of 2564 4652 cmd.exe 101 PID 3720 wrote to memory of 408 3720 cmd.exe 104 PID 3720 wrote to memory of 408 3720 cmd.exe 104 PID 3720 wrote to memory of 408 3720 cmd.exe 104 PID 4408 wrote to memory of 3384 4408 cmd.exe 103 PID 4408 wrote to memory of 3384 4408 cmd.exe 103 PID 4408 wrote to memory of 3384 4408 cmd.exe 103 PID 3596 wrote to memory of 4048 3596 cmd.exe 102 PID 3596 wrote to memory of 4048 3596 cmd.exe 102 PID 3596 wrote to memory of 4048 3596 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe"C:\Users\Admin\AppData\Local\Temp\a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe"C:\Users\Admin\AppData\Local\Temp\a1948a43cd5bff965d2d54ffd24f673728719cd97f028c33b776607603f342a5.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRVHF.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javacpl" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javacpl.exe" /f4⤵
- Adds Run key to start application
PID:2580
-
-
-
C:\Users\Admin\AppData\Roaming\javacpl.exe"C:\Users\Admin\AppData\Roaming\javacpl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Roaming\javacpl.exe"C:\Users\Admin\AppData\Roaming\javacpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\Users\Admin\AppData\Roaming\javacpl.exe"C:\Users\Admin\AppData\Roaming\javacpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\javacpl.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javacpl.exe:*:Enabled:Windows Messanger" /f5⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\javacpl.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javacpl.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\javacpl.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javacpl.exe:*:Enabled:Windows Messanger" /f5⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\javacpl.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javacpl.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- Modifies registry key
PID:4048
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136B
MD543f169f9da64f490033d47db60eec638
SHA109a6f08a7511818e23563f31e9d1db5eea2b2a0d
SHA256202c960dce433ded37036198c80a305870959706c4a4ac5a1454379a282c2803
SHA5120556ba978cd5ca7e96c3e21410c375e99e1e82183d4384b46af5426c013c64aa190c5020f7154b9f5a5b42fbb30af20c74252a275c77d4596f4201625984ac8a
-
Filesize
2.6MB
MD5fc9e5018e614906c6d906c00c5d1f4a7
SHA1236c9e93de20368c34fbc02489a701eb9c6f8dba
SHA256cedeca81164fc956d585503462bc9d818395d6e61a75ebab754de77cd114b712
SHA512841496de473dedc2ff7adedd081eb005777519efc4471d00788605589eeb91fbce506a286e9bca6abf0e44f48f6571ae9bb0f009fe794d0fb2bd8a7234f8986e
-
Filesize
2.6MB
MD5fc9e5018e614906c6d906c00c5d1f4a7
SHA1236c9e93de20368c34fbc02489a701eb9c6f8dba
SHA256cedeca81164fc956d585503462bc9d818395d6e61a75ebab754de77cd114b712
SHA512841496de473dedc2ff7adedd081eb005777519efc4471d00788605589eeb91fbce506a286e9bca6abf0e44f48f6571ae9bb0f009fe794d0fb2bd8a7234f8986e
-
Filesize
2.6MB
MD5fc9e5018e614906c6d906c00c5d1f4a7
SHA1236c9e93de20368c34fbc02489a701eb9c6f8dba
SHA256cedeca81164fc956d585503462bc9d818395d6e61a75ebab754de77cd114b712
SHA512841496de473dedc2ff7adedd081eb005777519efc4471d00788605589eeb91fbce506a286e9bca6abf0e44f48f6571ae9bb0f009fe794d0fb2bd8a7234f8986e
-
Filesize
2.6MB
MD5fc9e5018e614906c6d906c00c5d1f4a7
SHA1236c9e93de20368c34fbc02489a701eb9c6f8dba
SHA256cedeca81164fc956d585503462bc9d818395d6e61a75ebab754de77cd114b712
SHA512841496de473dedc2ff7adedd081eb005777519efc4471d00788605589eeb91fbce506a286e9bca6abf0e44f48f6571ae9bb0f009fe794d0fb2bd8a7234f8986e