Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe
Resource
win10v2004-20220812-en
General
-
Target
f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe
-
Size
777KB
-
MD5
036d8a0aceb9c7b38ea13fa8a204f470
-
SHA1
321f6e9e4c21841b5d6836f6840163523aebaae4
-
SHA256
f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7
-
SHA512
ab4d082deb1b9e7099a90da207033601306b242a44ba372cc79d81d113af6e4c6d4d7eeb54ff17e580ff28c39af3dbad0d4c38996d6ddf7b90c9c4a183f3e5d9
-
SSDEEP
12288:0Lkcoxg7v3qnC11ErwIhh0F4qwUgUny5QPC+qRHk:qfmMv6Ckr7Mny5QanHk
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5F5BF6-E4D6-E61C-5C8C-F70C0BF4E4A1} f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5F5BF6-E4D6-E61C-5C8C-F70C0BF4E4A1}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DC5F5BF6-E4D6-E61C-5C8C-F70C0BF4E4A1} f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DC5F5BF6-E4D6-E61C-5C8C-F70C0BF4E4A1}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe -
resource yara_rule behavioral2/memory/4916-133-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4916-135-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4916-136-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4916-140-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4916-141-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3028 set thread context of 4916 3028 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 1572 reg.exe 748 reg.exe 4324 reg.exe 1568 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeCreateTokenPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeAssignPrimaryTokenPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeLockMemoryPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeIncreaseQuotaPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeMachineAccountPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeTcbPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeSecurityPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeTakeOwnershipPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeLoadDriverPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeSystemProfilePrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeSystemtimePrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeProfSingleProcessPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeIncBasePriorityPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeCreatePagefilePrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeCreatePermanentPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeBackupPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeRestorePrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeShutdownPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeDebugPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeAuditPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeSystemEnvironmentPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeChangeNotifyPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeRemoteShutdownPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeUndockPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeSyncAgentPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeEnableDelegationPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeManageVolumePrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeImpersonatePrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: SeCreateGlobalPrivilege 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: 31 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: 32 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: 33 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: 34 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe Token: 35 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3028 wrote to memory of 4916 3028 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 81 PID 3028 wrote to memory of 4916 3028 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 81 PID 3028 wrote to memory of 4916 3028 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 81 PID 3028 wrote to memory of 4916 3028 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 81 PID 3028 wrote to memory of 4916 3028 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 81 PID 4916 wrote to memory of 2044 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 82 PID 4916 wrote to memory of 2044 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 82 PID 4916 wrote to memory of 2044 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 82 PID 4916 wrote to memory of 1380 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 83 PID 4916 wrote to memory of 1380 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 83 PID 4916 wrote to memory of 1380 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 83 PID 4916 wrote to memory of 1956 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 84 PID 4916 wrote to memory of 1956 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 84 PID 4916 wrote to memory of 1956 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 84 PID 4916 wrote to memory of 2760 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 86 PID 4916 wrote to memory of 2760 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 86 PID 4916 wrote to memory of 2760 4916 f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe 86 PID 1956 wrote to memory of 748 1956 cmd.exe 91 PID 1956 wrote to memory of 748 1956 cmd.exe 91 PID 1956 wrote to memory of 748 1956 cmd.exe 91 PID 1380 wrote to memory of 4324 1380 cmd.exe 92 PID 1380 wrote to memory of 4324 1380 cmd.exe 92 PID 1380 wrote to memory of 4324 1380 cmd.exe 92 PID 2044 wrote to memory of 1572 2044 cmd.exe 90 PID 2044 wrote to memory of 1572 2044 cmd.exe 90 PID 2044 wrote to memory of 1572 2044 cmd.exe 90 PID 2760 wrote to memory of 1568 2760 cmd.exe 93 PID 2760 wrote to memory of 1568 2760 cmd.exe 93 PID 2760 wrote to memory of 1568 2760 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe"C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe"C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f1b506a365f630be0d8d34d877a6f2bb83331cc4022f4e875547dd7af8ba94f7.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1568
-
-
-