Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ef0b0aedc0...42.exe

windows7-x64

8

ef0b0aedc0...42.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    214s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

  • Size

    90KB

  • MD5

    4a88ae4b043e5e626c39a51d7e380b5a

  • SHA1

    a833330f04fa886dc9e401766e7a1673f2a740f6

  • SHA256

    ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42

  • SHA512

    83b12a847cd4f639b13db4f7f6ce13965a4757415e698c9ea470680adf5de672479cc9c8927b8a18be012002adc18083b0894226c803626e23025dcc844ac9f9

  • SSDEEP

    1536:VmZWGE/gxwXe4U7bPPa/q4udgeApY06+5wHNxd9m1pLyg+eu+ixh8NJVnKu9ypLI:UZW8wPU/PPWCvmYXhhe2si/8pnfyf2qE

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
    "C:\Users\Admin\AppData\Local\Temp\ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe"
    1⤵
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\SysWOW64\net.exe
      net stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:564
      • C:\Windows\SysWOW64\net.exe
        net stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:1360
        • C:\Windows\SysWOW64\net.exe
          net stop System Restore Service
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop System Restore Service
            3⤵
              PID:1820
          • C:\Users\Admin\AppData\Local\Temp\wmnet.exe
            C:\Users\Admin\AppData\Local\Temp\wmnet.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:568
            • C:\Program Files (x86)\Common Files\System\QQjiji.exe
              "C:\Program Files (x86)\Common Files\System\QQjiji.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1568
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c erase /A:RHSA "C:\Users\Admin\AppData\Local\Temp\wmnet.exe"&cmd /c del "C:\Users\Admin\AppData\Local\Temp\wmnet.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1776
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c del "C:\Users\Admin\AppData\Local\Temp\wmnet.exe"
                4⤵
                  PID:1124
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ping -n 2 127.0.0.1>nul&del /F /Q /A : RSAH "C:\Users\Admin\AppData\Local\Temp\wmnet.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1924
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 2 127.0.0.1
                  4⤵
                  • Runs ping.exe
                  PID:1952
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c del C:\wmiprvse.exe
              2⤵
              • Deletes itself
              PID:1548

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Common Files\System\QQjiji.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • C:\Program Files (x86)\Common Files\System\QQjiji.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wmnet.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wmnet.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • \Program Files (x86)\Common Files\System\QQjiji.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • \Program Files (x86)\Common Files\System\QQjiji.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • \Program Files (x86)\Common Files\System\admin.obj
            Filesize

            50KB

            MD5

            dee2a616c3e4ee1fb83cbc8549fe30a8

            SHA1

            fb3d3e33a44028e4afdda43956037bc03b82d34a

            SHA256

            1ede5bc76517666c329991c9c98528644447bffcef8f3c5c44284ef7b8c461df

            SHA512

            0fa4bbb3fb52045e43703692934d1f1753badc96d9d1e7b6677d3fa562415e61a498c3af85109bdc21b12a9942bf90a9a04f0dd191a7f75a7e5cadfbb3158208

            Download Submit

          • \Users\Admin\AppData\Local\Temp\wmnet.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • \Users\Admin\AppData\Local\Temp\wmnet.exe
            Filesize

            34KB

            MD5

            3d9abc0931ba2fe5e0ece6f31336e4c5

            SHA1

            5ed3751d91a899ac1a1606941c7001135d7adde5

            SHA256

            5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

            SHA512

            885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

            Download Submit

          • memory/568-66-0x0000000075F21000-0x0000000075F23000-memory.dmp

            Filesize

            8KB

            Download

          • memory/568-69-0x00000000744D1000-0x00000000744D3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1408-68-0x0000000010000000-0x000000001003C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1408-54-0x0000000010000000-0x000000001003C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1408-55-0x0000000010000000-0x000000001003C000-memory.dmp

            Filesize

            240KB

            Download