Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe
-
Size
899KB
-
MD5
0117a8ecab6bbf11ec6bef9204dad2b9
-
SHA1
91fc83ef9c684c53fc8071d8317a91abde01a716
-
SHA256
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17
-
SHA512
fc403a97109dccf3c7cf125885bf2725f41ab7f82547593b2e307d77258e8dbc006b70c6807b040abe67949794f5912dd239652d80ee3feff3361c067c88a533
-
SSDEEP
6144:DtxgWaPErldXCfsn3LFlMiUKvy78gpQ0Ob:hGWgeAfsngiUAyAgpQl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2952 MsiExec.exe 2952 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e5746ae.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI47D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI497D.tmp msiexec.exe File created C:\Windows\Installer\e5746ae.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1444 msiexec.exe 1444 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeShutdownPrivilege 4184 msiexec.exe Token: SeIncreaseQuotaPrivilege 4184 msiexec.exe Token: SeSecurityPrivilege 1444 msiexec.exe Token: SeCreateTokenPrivilege 4184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4184 msiexec.exe Token: SeLockMemoryPrivilege 4184 msiexec.exe Token: SeIncreaseQuotaPrivilege 4184 msiexec.exe Token: SeMachineAccountPrivilege 4184 msiexec.exe Token: SeTcbPrivilege 4184 msiexec.exe Token: SeSecurityPrivilege 4184 msiexec.exe Token: SeTakeOwnershipPrivilege 4184 msiexec.exe Token: SeLoadDriverPrivilege 4184 msiexec.exe Token: SeSystemProfilePrivilege 4184 msiexec.exe Token: SeSystemtimePrivilege 4184 msiexec.exe Token: SeProfSingleProcessPrivilege 4184 msiexec.exe Token: SeIncBasePriorityPrivilege 4184 msiexec.exe Token: SeCreatePagefilePrivilege 4184 msiexec.exe Token: SeCreatePermanentPrivilege 4184 msiexec.exe Token: SeBackupPrivilege 4184 msiexec.exe Token: SeRestorePrivilege 4184 msiexec.exe Token: SeShutdownPrivilege 4184 msiexec.exe Token: SeDebugPrivilege 4184 msiexec.exe Token: SeAuditPrivilege 4184 msiexec.exe Token: SeSystemEnvironmentPrivilege 4184 msiexec.exe Token: SeChangeNotifyPrivilege 4184 msiexec.exe Token: SeRemoteShutdownPrivilege 4184 msiexec.exe Token: SeUndockPrivilege 4184 msiexec.exe Token: SeSyncAgentPrivilege 4184 msiexec.exe Token: SeEnableDelegationPrivilege 4184 msiexec.exe Token: SeManageVolumePrivilege 4184 msiexec.exe Token: SeImpersonatePrivilege 4184 msiexec.exe Token: SeCreateGlobalPrivilege 4184 msiexec.exe Token: SeBackupPrivilege 632 vssvc.exe Token: SeRestorePrivilege 632 vssvc.exe Token: SeAuditPrivilege 632 vssvc.exe Token: SeBackupPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeTakeOwnershipPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeTakeOwnershipPrivilege 1444 msiexec.exe Token: SeRestorePrivilege 1444 msiexec.exe Token: SeTakeOwnershipPrivilege 1444 msiexec.exe Token: SeBackupPrivilege 4228 srtasks.exe Token: SeRestorePrivilege 4228 srtasks.exe Token: SeSecurityPrivilege 4228 srtasks.exe Token: SeTakeOwnershipPrivilege 4228 srtasks.exe Token: SeBackupPrivilege 4228 srtasks.exe Token: SeRestorePrivilege 4228 srtasks.exe Token: SeSecurityPrivilege 4228 srtasks.exe Token: SeTakeOwnershipPrivilege 4228 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4184 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4828 wrote to memory of 4724 4828 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 80 PID 4828 wrote to memory of 4724 4828 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 80 PID 4828 wrote to memory of 4724 4828 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 80 PID 4724 wrote to memory of 4184 4724 cmd.exe 82 PID 4724 wrote to memory of 4184 4724 cmd.exe 82 PID 4724 wrote to memory of 4184 4724 cmd.exe 82 PID 1444 wrote to memory of 4228 1444 msiexec.exe 90 PID 1444 wrote to memory of 4228 1444 msiexec.exe 90 PID 1444 wrote to memory of 2952 1444 msiexec.exe 92 PID 1444 wrote to memory of 2952 1444 msiexec.exe 92 PID 1444 wrote to memory of 2952 1444 msiexec.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe"C:\Users\Admin\AppData\Local\Temp\c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~7515.bat "C:\Users\Admin\AppData\Local\Temp\c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\setup.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4184
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 92264F8CBA20BE8CE649D71E4735A4C22⤵
- Loads dropped DLL
PID:2952
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5318c61d90d45dbdc39544981dbc74149
SHA1bc14826355c15020f9401b4b8bf066dea2ebe531
SHA2569365a1b8a8843876ec8a1b433769c2f455a5d9aac190d12b270c7cb40d3aa0fe
SHA512ca71754570ed6503d371740ff5d95c4d34677cbfde7d139ad9369154b761e70ebb98a5dfaaf4d3279e8d379c191d5a9a8c39843ac3e36f7a01244877019d5c12
-
Filesize
804KB
MD57f7072b4322fccc3b4518932df235fb7
SHA1d4fe2123f9494b34f8ea81228ca698b119fcc0a0
SHA256838c1a9488d3c80308404595bd3a1b3fe1527d1acb89ce496f9f856749ea5033
SHA5122837ec0ab064bba210e6fb2b7c1464468eff64537db74b76fcaf52fb1517dbbad3914320ca14795579c25d889ebf9f07e0350819ca281cc83d56c2a2aaf9e1fa
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
23.0MB
MD53fe5df55ad666a27e42e850f61773661
SHA1ee710e401bd8e74e73b1aaf3468cbec0236eb156
SHA2568595eda6102d93ff34853beac25c1781d1b6eeb3ea772af459905baef7f40998
SHA512422cca4a8be2dc03f29667c64f8bcd792ffbb08cb2336ba1c792bb35641589137532ed20dc9f60850131ff4b93d263e6197af44e2ca5485f1364cbe93acc109c
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8fed0b67-0552-43c9-92bd-acaf8316cb8f}_OnDiskSnapshotProp
Filesize5KB
MD5b91eae4195c076295664f4ca68c24c26
SHA105715326e035528cf163d2868c0e4c01fc96bebe
SHA256edce2240f8d919f3902423f8dc491dfa9cc8b5195758237f0b4167ebee85cad3
SHA51236eb0bc9788673384a27ea22c3c651811bca101cb0a0646e86d3232f7d59423959d23c3a6f0732baa25ec4d002107930009f3ab50d08bc5102a85b04ca6bbdc0