Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
181s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
Resource
win10v2004-20221111-en
General
-
Target
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
-
Size
364KB
-
MD5
72c482ad8052388343956fe092465e7c
-
SHA1
6b301063661ce24464060938823554a4d2e411d4
-
SHA256
893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321
-
SHA512
6318d94e1adff12fa42fb05d3a46bef337577ec68ba4cf993012d422c5ae09f6d928b936346538c75891085253565caee30614fa18cbb76586a96fa0324b3f3d
-
SSDEEP
6144:CbXE9OiTGfhEClq9ztilm4CNyG+4GgDNxDiRVBHePLBQsL:qU9XiuiitImy7wxQVB+TBQsL
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4960 pipipipipi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ololo\p.txt 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\3t.jpg svchost.exe File opened for modification C:\Program Files (x86)\ololo\3t.jpg 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\pipipipipi.exe 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe File opened for modification C:\Program Files (x86)\ololo\olololo.bat 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5016 4960 WerFault.exe 87 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings mspaint.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3544 regedit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4852 mspaint.exe 4852 mspaint.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4852 mspaint.exe 1916 OpenWith.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4516 wrote to memory of 4852 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 84 PID 4516 wrote to memory of 4852 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 84 PID 4516 wrote to memory of 4852 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 84 PID 4516 wrote to memory of 4812 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 85 PID 4516 wrote to memory of 4812 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 85 PID 4516 wrote to memory of 4812 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 85 PID 4516 wrote to memory of 4960 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 87 PID 4516 wrote to memory of 4960 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 87 PID 4516 wrote to memory of 4960 4516 893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe 87 PID 4812 wrote to memory of 3544 4812 cmd.exe 95 PID 4812 wrote to memory of 3544 4812 cmd.exe 95 PID 4812 wrote to memory of 3544 4812 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe"C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\ololo\3t.jpg" /ForceBootstrapPaint3D2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ololo\olololo.bat" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\regedit.exeregedit -s snapshot.reg3⤵
- Runs .reg file with regedit
PID:3544
-
-
-
C:\Program Files (x86)\ololo\pipipipipi.exe"C:\Program Files (x86)\ololo\pipipipipi.exe"2⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 6683⤵
- Program crash
PID:5016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 49601⤵PID:4940
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4360
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD520fa9a18bcc7d0ac56752235bda71ff1
SHA1bfc38d50c995dac42388c9681f31e3bffb12048c
SHA25618a663b6b5cd7298af8ebe47c29d7c4f150b2864cfd5599723b82245f6846dcc
SHA512ae0fb6491e2f0d7be6150189516afaa0225e82cb7809392667f3a3131e74270ba4e265c2878bb159ba1ff5656275eeb439fccbf5abe28ca49bee7294541778cb
-
Filesize
56KB
MD5e5af3dd46df77c166f55378507c5cbcb
SHA1c2e5ff64d3e2fe0dcd2960164219f0031619653a
SHA2563185d610a530e91e62fc95cd3c8b3df333d3254524417afc945b4c32b3e8d918
SHA5120cab1d707b450588e579e099dad31f6c300d03b461ac12cfb8eabcc3ebe1d91859d2454cd82845d6ab233086397ac760fa7ebadcb3ad8871f32a6b96fcc42bec
-
Filesize
2B
MD5ac627ab1ccbdb62ec96e702f07f6425b
SHA19a79be611e0267e1d943da0737c6c51be67865a0
SHA2568c1f1046219ddd216a023f792356ddf127fce372a72ec9b4cdac989ee5b0b455
SHA5126781a9e05f5e327a138f3d09ce0211ce4f166d940a14b46373e44402a3f3754cab4109f62c50777cbc1e3c4f1b8e6234e8d0b41281571bf0e1bd480c12149830
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5
-
Filesize
253KB
MD5f4ab00e8243d57e5f8fe2cb1748b94d3
SHA1f485809a23c8d262c06e7a5aa3784d3049baa42e
SHA25686e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd
SHA5126eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5