Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 09:58
Behavioral task
behavioral1
Sample
91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe
Resource
win10v2004-20221111-en
General
-
Target
91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe
-
Size
595KB
-
MD5
ed0e13d01d2d233abf46942a6d454cbe
-
SHA1
cb920a79944b7ffb7d885f392cb9a1fe825d0502
-
SHA256
91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363
-
SHA512
69df9c3c263bfb671ea74945cc78396e723aa1c69f2b39d6367661304d41311bf92b89d309d41ba7523df5f6d12d56b15c3e50cbff1d93887c9d93690a3b24ce
-
SSDEEP
12288:Qv6+G3JczlR9PBQpN+qCYC1d+y7GOzSk40wYwiPvH:hF5ElRWPi4yyOeRov
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\SysWOW64\\dllcache\\ntvdame.exe," ntvdame.exe -
resource yara_rule behavioral2/files/0x0002000000022660-134.dat aspack_v212_v242 behavioral2/files/0x0002000000022660-135.dat aspack_v212_v242 behavioral2/files/0x0002000000022663-138.dat aspack_v212_v242 behavioral2/files/0x0002000000022663-139.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 2760 3721.exe 4356 ntvdame.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 3721.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation ntvdame.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dllcache\ntvdame.exe 3721.exe File created C:\Windows\SysWOW64\dllcache\ntvdame.exe 3721.exe File opened for modification C:\Windows\SysWOW64\dllcache\ntvdame.exe ntvdame.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\3721.exe 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe File opened for modification C:\Program Files\3721.exe ntvdame.exe File opened for modification C:\Program Files\yahoo.exe ntvdame.exe File opened for modification C:\Program Files\3721_.exe ntvdame.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 2760 3721.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe Token: SeDebugPrivilege 2760 3721.exe Token: SeIncBasePriorityPrivilege 2760 3721.exe Token: SeDebugPrivilege 4356 ntvdame.exe Token: SeIncBasePriorityPrivilege 2760 3721.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe 4356 ntvdame.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 2760 3721.exe 2760 3721.exe 4356 ntvdame.exe 4356 ntvdame.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2760 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 84 PID 2300 wrote to memory of 2760 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 84 PID 2300 wrote to memory of 2760 2300 91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe 84 PID 2760 wrote to memory of 3132 2760 3721.exe 85 PID 2760 wrote to memory of 3132 2760 3721.exe 85 PID 2760 wrote to memory of 3132 2760 3721.exe 85 PID 2760 wrote to memory of 4356 2760 3721.exe 87 PID 2760 wrote to memory of 4356 2760 3721.exe 87 PID 2760 wrote to memory of 4356 2760 3721.exe 87 PID 2760 wrote to memory of 4208 2760 3721.exe 88 PID 2760 wrote to memory of 4208 2760 3721.exe 88 PID 2760 wrote to memory of 4208 2760 3721.exe 88 PID 2760 wrote to memory of 3968 2760 3721.exe 89 PID 2760 wrote to memory of 3968 2760 3721.exe 89 PID 2760 wrote to memory of 3968 2760 3721.exe 89 PID 4356 wrote to memory of 3576 4356 ntvdame.exe 90 PID 4356 wrote to memory of 3576 4356 ntvdame.exe 90 PID 4356 wrote to memory of 3576 4356 ntvdame.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe"C:\Users\Admin\AppData\Local\Temp\91fe2293aa09da2e22fd59f9ee538ba80dbc249329b57583f66d86f280ff2363.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files\3721.exe"C:\Program Files\3721.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\net1.exe"C:\Windows\System32\net1.exe" start sharedaccess3⤵PID:3132
-
-
C:\Windows\SysWOW64\dllcache\ntvdame.exe"C:\Windows\system32\dllcache\ntvdame.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\net1.exe"C:\Windows\System32\net1.exe" start sharedaccess4⤵PID:3576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\PROGRA~1\3721.exe > nul3⤵PID:4208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\PROGRA~1\3721.exe > nul3⤵PID:3968
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD582c28e7105ef6317f1e3302c05ec638f
SHA1caa6de74b2245a122b0d007d2d8fa0a712551a5d
SHA256b9f6fa466a607d3c58e74fa532239cd6122c5ea8e40a35eb6e78e4a79ef111d8
SHA512d44e19cf9085935e96650c38684edea129691abbc212bbd2d63b0c09ee35fd13003b5e89c67f976965fa72225a13588198f1635740ded728b5fe85c54c1f7b26
-
Filesize
37KB
MD582c28e7105ef6317f1e3302c05ec638f
SHA1caa6de74b2245a122b0d007d2d8fa0a712551a5d
SHA256b9f6fa466a607d3c58e74fa532239cd6122c5ea8e40a35eb6e78e4a79ef111d8
SHA512d44e19cf9085935e96650c38684edea129691abbc212bbd2d63b0c09ee35fd13003b5e89c67f976965fa72225a13588198f1635740ded728b5fe85c54c1f7b26
-
Filesize
37KB
MD582c28e7105ef6317f1e3302c05ec638f
SHA1caa6de74b2245a122b0d007d2d8fa0a712551a5d
SHA256b9f6fa466a607d3c58e74fa532239cd6122c5ea8e40a35eb6e78e4a79ef111d8
SHA512d44e19cf9085935e96650c38684edea129691abbc212bbd2d63b0c09ee35fd13003b5e89c67f976965fa72225a13588198f1635740ded728b5fe85c54c1f7b26
-
Filesize
37KB
MD582c28e7105ef6317f1e3302c05ec638f
SHA1caa6de74b2245a122b0d007d2d8fa0a712551a5d
SHA256b9f6fa466a607d3c58e74fa532239cd6122c5ea8e40a35eb6e78e4a79ef111d8
SHA512d44e19cf9085935e96650c38684edea129691abbc212bbd2d63b0c09ee35fd13003b5e89c67f976965fa72225a13588198f1635740ded728b5fe85c54c1f7b26