Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe
Resource
win10v2004-20220901-en
General
-
Target
918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe
-
Size
112KB
-
MD5
4674566e25e78bb4f4ab7a8a1c86f9cb
-
SHA1
adb83767f85dc9e6270ca934c51bd87203816086
-
SHA256
918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f
-
SHA512
9e5ba5a481f7f4c7671615b1861f077976e76a87467b5fe1a45556b68b2e78265ae9cf1a484bd83f3f1ff4f8f56cae1edfad864f80201f80e81d9ae1c99bf318
-
SSDEEP
1536:kr4vEtHYKKSYP8mxBsEQRn2BkRd4Kp1xtHYKKS8D:kReKKSYh4Eimym2xeKKS8D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4780 ksoft.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\sytre\ksoft.exe 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe File opened for modification C:\Program Files\system\yy.dll ksoft.exe File created C:\Program Files\ty\tem.vbs ksoft.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b8b9078a0dd901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377546415" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "375713179" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001994" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001994" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009714b3ba14bef74d8d1052d86d1ff5b900000000020000000000106600000001000020000000f39a28a6d91069e563549f1ce95bf9190967b63f4b52a5e73823da332f54f752000000000e8000000002000020000000399bdd69e830f1848eaa083fd774ff468b4f01a35bd9a3dee62356ac0531ed6a20000000d765a405a9a7967a443d5122e57a4dce9423575d9e3b473ec61907266f8c168e4000000022478910e6ddb42774688c800a90d18d4b978656a3d389961da9d22c15ef6b713b643026a56a72bf6cfd02f5d173d6c3db87882a68e1d73ad668e21546a99cbb iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001994" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "382587359" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "375713179" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{41BB070C-797D-11ED-A0EE-426B8B52D88D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32 ksoft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID ksoft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC} ksoft.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4728 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4728 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 4780 ksoft.exe 4728 iexplore.exe 4728 iexplore.exe 3188 IEXPLORE.EXE 3188 IEXPLORE.EXE 3188 IEXPLORE.EXE 3188 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1028 wrote to memory of 4780 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 82 PID 1028 wrote to memory of 4780 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 82 PID 1028 wrote to memory of 4780 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 82 PID 4728 wrote to memory of 3188 4728 iexplore.exe 85 PID 4728 wrote to memory of 3188 4728 iexplore.exe 85 PID 4728 wrote to memory of 3188 4728 iexplore.exe 85 PID 1028 wrote to memory of 1356 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 86 PID 1028 wrote to memory of 1356 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 86 PID 1028 wrote to memory of 1356 1028 918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe"C:\Users\Admin\AppData\Local\Temp\918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files\sytre\ksoft.exe"C:\Program Files\sytre\ksoft.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\918C7C~1.EXE"2⤵PID:1356
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:1484
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4728 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3188
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD54674566e25e78bb4f4ab7a8a1c86f9cb
SHA1adb83767f85dc9e6270ca934c51bd87203816086
SHA256918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f
SHA5129e5ba5a481f7f4c7671615b1861f077976e76a87467b5fe1a45556b68b2e78265ae9cf1a484bd83f3f1ff4f8f56cae1edfad864f80201f80e81d9ae1c99bf318
-
Filesize
112KB
MD54674566e25e78bb4f4ab7a8a1c86f9cb
SHA1adb83767f85dc9e6270ca934c51bd87203816086
SHA256918c7c0359cf05bf076302540d40c4131ac09fbbf2d734b6119a4f5cc2397a5f
SHA5129e5ba5a481f7f4c7671615b1861f077976e76a87467b5fe1a45556b68b2e78265ae9cf1a484bd83f3f1ff4f8f56cae1edfad864f80201f80e81d9ae1c99bf318
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD58b90c80540ac0b7f86a00f00c7adb0e5
SHA1a83d1a28ce3a71303dc0eb7359182812d74539c8
SHA25647d6c62ae69a38a716da5db2d4b4c95193dc1dcbebef3c55dea8c0cfb13ea256
SHA512546494549dbf6e3c8fc547c3269a3564c6ba6e34ba66df238f31f6b53a35f9b46f5973deb38c7a686ee89b484b95cb0be1c4b49b5c771d38d80d42eb66885cd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5449287acae34b701fc574d32b49f687a
SHA1ccef7f480e2f4c9e746c1481d24c5c07c489bf89
SHA256c828efca156b1f5d7dee4bb38017022ef06eaa9aecd4892cf94facb189979dba
SHA512c1f0a1bf0cc49b48edece4d390529c04b48b2ce70a25e213280c0bc96855bbe58c37349349db7af825880276c72e574a9162b8ce2454ed7b205eefbfda51fa5e