Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 18:02

General

  • Target

    f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe

  • Size

    52KB

  • MD5

    d6e7e97b595a5da8f8a53e6dc168df1c

  • SHA1

    aec05e6a8a178d291c96267a59c4a483101d50ac

  • SHA256

    f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865

  • SHA512

    b8b247e9623edb69f43a69fd2f18e5b26481c2b7bbe574c10842a5efce41f3616afc6102f838a62edbf40c18ed254eae40301f58a1e8062d1d2e798f87e7a18d

  • SSDEEP

    768:CwGI4s6XiKMAkjnlh7nTv+7SQBRJ0hLSqvIakyewLk13DTRy:d42Xnlh/W79JkL7IaNJLSR

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
  • Modifies registry class 4 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe
    "C:\Users\Admin\AppData\Local\Temp\f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2440
    • \??\c:\windows\romeo13.exe
      c:\windows\romeo13.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4656
      • \??\c:\windows\SysWOW64\regedit.exe
        regedit /s c:\2.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\353454543.bat
        3⤵
          PID:3520
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\353454543.bat
        2⤵
          PID:4908
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:2664
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1476

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          228d25dd7d377af29848012a2b059814

          SHA1

          a29a3c1e167f3581b0aa4be90b1769a89beab01c

          SHA256

          9d4e26398806093c8af5a60e646afb3c2fc110ea0dc93821e29dc48da62280bb

          SHA512

          1d004bb21f7225fe220aae71d7836c0f5b2e58cb855209e2cc7f1a903ae73b67c408f59108b31faf7caed420758f4753b476c927299da5d607304b5d3a45bc61

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          434B

          MD5

          7f01dfadcbf00a084170fb3cb0c2f04d

          SHA1

          707827d3b3ddee0f98d24568260963a05d9f6551

          SHA256

          3d1e49df7ccc887d970da112b131267310f540de959358c79516fd6ef0cb0020

          SHA512

          e3a4ae82572fa367930e4851e032330a118f90e2c7e5cbdf85515552c0de8243dc7205b51423ab3b0746b8079a1ad6d8de67112a5abf6aa019a280ddbb5700d5

        • C:\Windows\romeo13.exe

          Filesize

          52KB

          MD5

          d6e7e97b595a5da8f8a53e6dc168df1c

          SHA1

          aec05e6a8a178d291c96267a59c4a483101d50ac

          SHA256

          f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865

          SHA512

          b8b247e9623edb69f43a69fd2f18e5b26481c2b7bbe574c10842a5efce41f3616afc6102f838a62edbf40c18ed254eae40301f58a1e8062d1d2e798f87e7a18d

        • \??\c:\2.reg

          Filesize

          202B

          MD5

          428090d84a47f875c8fdd6d0258f00c5

          SHA1

          96c029720065ac1dc5ece2a5481b780267d7b439

          SHA256

          8c8668f6339728aebfc08e547f15b0e250f6a551be86f47fcb6098ffe37f0404

          SHA512

          f752bf52b359a5a82e821ee288e11cd4176c39ac3c932c6f44db69780c6e2597e654bbb3a9db9c32f8659d5af66fa9578b5625758b1f6db70c1314369dbadf7d

        • \??\c:\353454543.bat

          Filesize

          116B

          MD5

          b420c64e5c921987cd2f92cb494e5d28

          SHA1

          045987d605e6b21329f4ef17dc692a3c7d740af5

          SHA256

          725acb501ded659a00f2d3e47b1b883bc51d9e86e3bcd43bc24950558d19fbfa

          SHA512

          bb462c62642c582bca3af499a6f5035e6dfd842330a70f3a31117b1ac5db6574b082cd8fc9922e1f66f308a9c7dc5f35aedad548d800616ac803b33c02a52296

        • \??\c:\353454543.bat

          Filesize

          276B

          MD5

          77f7828ebf4855db1db809269c85b8e2

          SHA1

          05ea2a3d17f1b0698a624477ee15e94fc8e57f94

          SHA256

          45453bc0f247aaaeca26d949d523bdecce5e09b7343fd39cf891c85922f0be9f

          SHA512

          f89ec4bd79fbbcf893a308cd0666b764a35c997b31852cf1790683a98e97c9ec4dc18f25db81f21429b43c063cb29945c280bece2ea40e4c94cba3499debfa1b

        • \??\c:\windows\romeo13.exe

          Filesize

          52KB

          MD5

          d6e7e97b595a5da8f8a53e6dc168df1c

          SHA1

          aec05e6a8a178d291c96267a59c4a483101d50ac

          SHA256

          f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865

          SHA512

          b8b247e9623edb69f43a69fd2f18e5b26481c2b7bbe574c10842a5efce41f3616afc6102f838a62edbf40c18ed254eae40301f58a1e8062d1d2e798f87e7a18d