Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
Resource
win10v2004-20220812-en
General
-
Target
afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe
-
Size
440KB
-
MD5
dd4de41028911c5d9e1565aad48e06e5
-
SHA1
a97a21d642390719d3b5325e3a486608423bc23b
-
SHA256
afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea
-
SHA512
e1df19247f3382f870f73330e6a2941de3a5236b4a4632d8d4b7f97533b088df3e5897ec7f97228441bf2079553ecf7607d1eac8ed0b02efefc5197bb29f4194
-
SSDEEP
12288:pl41zfEOYGxSp+GKMXExFVWIaK3sojsifM:T6oOx0KMwVWIaeo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2816 inl15FA.tmp -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation inl15FA.tmp -
Loads dropped DLL 2 IoCs
pid Process 5020 MsiExec.exe 5020 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSID1D7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID2C2.tmp msiexec.exe File created C:\Windows\Installer\e57bbbe.msi msiexec.exe File opened for modification C:\Windows\Installer\e57bbbe.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 2532 msiexec.exe Token: SeIncreaseQuotaPrivilege 2532 msiexec.exe Token: SeSecurityPrivilege 4916 msiexec.exe Token: SeCreateTokenPrivilege 2532 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2532 msiexec.exe Token: SeLockMemoryPrivilege 2532 msiexec.exe Token: SeIncreaseQuotaPrivilege 2532 msiexec.exe Token: SeMachineAccountPrivilege 2532 msiexec.exe Token: SeTcbPrivilege 2532 msiexec.exe Token: SeSecurityPrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeLoadDriverPrivilege 2532 msiexec.exe Token: SeSystemProfilePrivilege 2532 msiexec.exe Token: SeSystemtimePrivilege 2532 msiexec.exe Token: SeProfSingleProcessPrivilege 2532 msiexec.exe Token: SeIncBasePriorityPrivilege 2532 msiexec.exe Token: SeCreatePagefilePrivilege 2532 msiexec.exe Token: SeCreatePermanentPrivilege 2532 msiexec.exe Token: SeBackupPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeShutdownPrivilege 2532 msiexec.exe Token: SeDebugPrivilege 2532 msiexec.exe Token: SeAuditPrivilege 2532 msiexec.exe Token: SeSystemEnvironmentPrivilege 2532 msiexec.exe Token: SeChangeNotifyPrivilege 2532 msiexec.exe Token: SeRemoteShutdownPrivilege 2532 msiexec.exe Token: SeUndockPrivilege 2532 msiexec.exe Token: SeSyncAgentPrivilege 2532 msiexec.exe Token: SeEnableDelegationPrivilege 2532 msiexec.exe Token: SeManageVolumePrivilege 2532 msiexec.exe Token: SeImpersonatePrivilege 2532 msiexec.exe Token: SeCreateGlobalPrivilege 2532 msiexec.exe Token: SeIncBasePriorityPrivilege 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeIncBasePriorityPrivilege 2816 inl15FA.tmp -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 668 wrote to memory of 3440 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 81 PID 668 wrote to memory of 3440 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 81 PID 668 wrote to memory of 3440 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 81 PID 668 wrote to memory of 2532 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 83 PID 668 wrote to memory of 2532 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 83 PID 668 wrote to memory of 2532 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 83 PID 668 wrote to memory of 4436 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 85 PID 668 wrote to memory of 4436 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 85 PID 668 wrote to memory of 4436 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 85 PID 668 wrote to memory of 764 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 87 PID 668 wrote to memory of 764 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 87 PID 668 wrote to memory of 764 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 87 PID 668 wrote to memory of 3164 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 89 PID 668 wrote to memory of 3164 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 89 PID 668 wrote to memory of 3164 668 afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe 89 PID 764 wrote to memory of 3568 764 cmd.exe 91 PID 764 wrote to memory of 3568 764 cmd.exe 91 PID 764 wrote to memory of 3568 764 cmd.exe 91 PID 4436 wrote to memory of 2816 4436 cmd.exe 94 PID 4436 wrote to memory of 2816 4436 cmd.exe 94 PID 4436 wrote to memory of 2816 4436 cmd.exe 94 PID 4916 wrote to memory of 5020 4916 msiexec.exe 96 PID 4916 wrote to memory of 5020 4916 msiexec.exe 96 PID 4916 wrote to memory of 5020 4916 msiexec.exe 96 PID 2816 wrote to memory of 1600 2816 inl15FA.tmp 97 PID 2816 wrote to memory of 1600 2816 inl15FA.tmp 97 PID 2816 wrote to memory of 1600 2816 inl15FA.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe"C:\Users\Admin\AppData\Local\Temp\afc0af47fddd29e270d670770c35bb95a212b35c5ecac43167959318fd4b3bea.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "2⤵PID:3440
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\insFA72.tmp.msi" /quiet2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\inl15FA.tmpC:\Users\Admin\AppData\Local\Temp\inl15FA.tmp cdf1912.tmp3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl15FA.tmp > nul4⤵PID:1600
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"3⤵
- Drops file in Windows directory
PID:3568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AFC0AF~1.EXE > nul2⤵PID:3164
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1D87255025F69FF5BCB719E8C04C27452⤵
- Loads dropped DLL
PID:5020
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768B
MD5d20d9eda31a2d0300e4589df7f352370
SHA179b46d2dbb489914cfedafdbc90e62951471b48e
SHA256d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8
SHA512d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e
-
Filesize
57.2MB
MD5d09752b3050c222dcce272247b834031
SHA1b649230c72a345e76535a4ca5fa312396d8cf106
SHA256ffafb18f5f8094df53f99885b1d722d469192605ae41f2b51baab5d69650952b
SHA512417da071279decdf01565fdd8e4d446dd7f02906f770133c9bbd6fa57740968e9357c7dcc388926bf2bb6693d17783702c7d639272086890a07cc3ee375526b0
-
Filesize
57.2MB
MD5d09752b3050c222dcce272247b834031
SHA1b649230c72a345e76535a4ca5fa312396d8cf106
SHA256ffafb18f5f8094df53f99885b1d722d469192605ae41f2b51baab5d69650952b
SHA512417da071279decdf01565fdd8e4d446dd7f02906f770133c9bbd6fa57740968e9357c7dcc388926bf2bb6693d17783702c7d639272086890a07cc3ee375526b0
-
Filesize
57.5MB
MD53bcb82675e41906539bb4d680192571d
SHA1ac745d3bbbf7d6cc28abd13b4fb9574a65521c58
SHA2566204fdcacf433ce399ef25d5363777f63f918ec723724b7a1e6f3a265e6869eb
SHA512c94d9f15a2dcb10ba65b5c5099b68495fe5476991b4f019e3354f3335ec2f2231ecfa2069d0a2abaa593fa9de640cd33b75d0c5f3951cce9e1b6839baf412b99
-
Filesize
57B
MD54eac7675947829f5b7d6e153b95092e3
SHA173d582f6bc3aa59d3bdb1718aa5f9055b92b0235
SHA2569becc0a72400ac3388fb20c4b43866ae6cdb4fcab3bdbe6c0490f72eeefe2159
SHA512fe7af2ee7fa01a9ee43028e92503f3570739ad89dcfec707a6678c729df04b8aa9c0dbe60fb809e0be962514b23941c7a65475f4890c45545cce2e3bb985fe1c
-
Filesize
26B
MD549cb42ed4e90c1df7d7bd69348b4cac9
SHA10e06e4b6201177a24c304b02fb052d6f5393f314
SHA2560fe404e349177b204405181c00c357c1ac82cbd04ca450e2faebeead2ef54b6d
SHA512e42e038acbbf58c17a2fd0353b14f65d360ec886aafdade4e1d71ca45f9852d01a080a9d09676008aa15296a4ac87eb1ff6e29523d057f1d4452e21776cbc319
-
Filesize
98B
MD58663de6fce9208b795dc913d1a6a3f5b
SHA1882193f208cf012eaf22eeaa4fef3b67e7c67c15
SHA2562909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61
SHA5129381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
425B
MD5da68bc3b7c3525670a04366bc55629f5
SHA115fda47ecfead7db8f7aee6ca7570138ba7f1b71
SHA25673f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5
SHA5126fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0