Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe
Resource
win10v2004-20221111-en
General
-
Target
cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe
-
Size
3.5MB
-
MD5
2f405c0ebfc93ee6f97d25b7142010cf
-
SHA1
76bf27320efffa815527a0a358efa391a381379d
-
SHA256
cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29
-
SHA512
a352ed0bbc0d9e8e0f263ac20975e6339c55082fa8c102c6ea896d24c2fabddab1a329d2ed2e95e7d829f9ccba561a207ff3cfe83a71575151acc854f13391f4
-
SSDEEP
98304:ylAtWDvPNZgZzZe4CRc68l9AZAALTLo98:mAoDXN8zQ4l68l9AZAAc98
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3740 Security.Task.Manager.v1.7f.Multilingual.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OALX\ImagePath = "C:\\Program Files\\Ttoaz\\Aiknx.exe" cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Security.Task.Manager.v1.7f.Multilingual.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\Ttoaz\levoof.exe cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\levoof.exe cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\Oquy\Jbel.dll cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File created C:\Program Files\Ttoaz\hescev.exe cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\kehese\pat.xml cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\kehese\togese.dll cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File created C:\Program Files\Common Files\System\Ole DB\MSPat.xml cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File created C:\Program Files\Ttoaz\kehese\pat.xml cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File created C:\Program Files\Ttoaz\kehese\togese.dll cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\Aiknx.exe cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\Guxcu.exe cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\hescev.exe cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Ttoaz\jy.ini cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File created C:\Program Files\Ttoaz\jy.ini cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\MSPat.xml cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2265111783" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2265111783" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B16CE5A6-779F-11ED-BF5F-621DF61BAEF5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001516" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001516" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3496 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3740 Security.Task.Manager.v1.7f.Multilingual.exe 3740 Security.Task.Manager.v1.7f.Multilingual.exe 3496 iexplore.exe 3496 iexplore.exe 3292 IEXPLORE.EXE 3292 IEXPLORE.EXE 3292 IEXPLORE.EXE 3292 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1636 wrote to memory of 3740 1636 cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe 86 PID 1636 wrote to memory of 3740 1636 cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe 86 PID 1636 wrote to memory of 3740 1636 cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe 86 PID 3496 wrote to memory of 3292 3496 iexplore.exe 96 PID 3496 wrote to memory of 3292 3496 iexplore.exe 96 PID 3496 wrote to memory of 3292 3496 iexplore.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe"C:\Users\Admin\AppData\Local\Temp\cb7a2ca31d804f40c9066d7d95a9e4720e1a1cf18ce11c6eac3cc5ebbde5cc29.exe"1⤵
- Sets service image path in registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\g83865\Security.Task.Manager.v1.7f.Multilingual.exeC:\Users\Admin\AppData\Local\Temp\g83865\Security.Task.Manager.v1.7f.Multilingual.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding1⤵PID:2000
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3496 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3292
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5f104a5404b802a065610842ec754c459
SHA17ab73e19008eb661f22af083d6c4d3ecc7644adc
SHA25689f4463cf3012145faeeda5df2461e2de2513687a14842028d66d3b60beec717
SHA512df942b1cb8eef7ebed6dc2560f85d5b1d887fcbfa53787d86a5e97ec2c4c6c5c72162a8e8fc6bf29bf7aa2687d3e32e9b587e0286a9e584ad076446090bbd4c8
-
Filesize
1.7MB
MD5f104a5404b802a065610842ec754c459
SHA17ab73e19008eb661f22af083d6c4d3ecc7644adc
SHA25689f4463cf3012145faeeda5df2461e2de2513687a14842028d66d3b60beec717
SHA512df942b1cb8eef7ebed6dc2560f85d5b1d887fcbfa53787d86a5e97ec2c4c6c5c72162a8e8fc6bf29bf7aa2687d3e32e9b587e0286a9e584ad076446090bbd4c8