Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14/02/2023, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
a44404aac23672009dc1d835f223d35b.exe
Resource
win7-20220901-en
General
-
Target
a44404aac23672009dc1d835f223d35b.exe
-
Size
293KB
-
MD5
a44404aac23672009dc1d835f223d35b
-
SHA1
31aee1e8489ef5b6033f24050ff309941f8f38b0
-
SHA256
1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
-
SHA512
2a70e223ca53759418bb42caa5d90dee2629f18815035f4cb92296eddac284f8a4074cfc9efada30ab9c27305e14249d5cb3731ec18fc41fc87695a6ef04357b
-
SSDEEP
6144:0Ya6qfeaNVq78yPmAR6PAqqQ1hPP23xulTtZ3X3fCA:0YMmaS78yP3g4qxYeZ3XvCA
Malware Config
Extracted
formbook
4.1
nes8
simantsfamily.com
ninobrowndelivery.net
y94x.info
huibi01.vip
davidspanu.com
swegon.tech
moapulsa.com
coveredseguros.com
owltoon.site
loyalguardianop.com
banca-particulares.icu
innovativanimal.com
girlschools.top
smartbed-gb-tok.life
vhail.store
bluffdalecitizens.info
asmcpn.us
wordybag.online
smmfsa.com
jinglunqhd.com
mybestfurend.com
hatmam.com
kruz56.site
drinkarakay.com
linnus.shop
shockgods.net
adammushrooms.com
enakslot.net
tt0738.com
vivre-lyon7.com
oticascarol.live
precisionradiologyin.com
prvtg.top
naturetechvr.com
thegoodfunguy.com
soulcommunication.site
hallmarklog.live
cantonbourbonroom.com
mitsubishixpander.com
dgrjzz1688.com
rainbow-bridge.xyz
yaxin376.com
sonrisasica.com
letterkennytown.com
kkkrobesforwhitesonly.com
mikamiyua.xyz
navigatoral.ltd
dailyhoroscope4you.space
dietoll-official.site
hadafsazan.net
mommysleepswithers.com
abc-notation.com
tbsc766.store
marketproinv.info
culdshn.pics
oxylabs.top
incentiveexcellence.com
sarodret.buzz
weplaycrypto.net
purityrecruitment.com
s95wh.icu
voip-59118.com
righttowrescue.com
feffco.xyz
n7m.tokyo
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/572-66-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1660-74-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1660-78-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 940 yoznhk.exe 572 yoznhk.exe -
Loads dropped DLL 3 IoCs
pid Process 1368 a44404aac23672009dc1d835f223d35b.exe 1368 a44404aac23672009dc1d835f223d35b.exe 940 yoznhk.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 940 set thread context of 572 940 yoznhk.exe 28 PID 572 set thread context of 1232 572 yoznhk.exe 15 PID 1660 set thread context of 1232 1660 cmstp.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 572 yoznhk.exe 572 yoznhk.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe 1660 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 940 yoznhk.exe 572 yoznhk.exe 572 yoznhk.exe 572 yoznhk.exe 1660 cmstp.exe 1660 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 572 yoznhk.exe Token: SeDebugPrivilege 1660 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1368 wrote to memory of 940 1368 a44404aac23672009dc1d835f223d35b.exe 27 PID 1368 wrote to memory of 940 1368 a44404aac23672009dc1d835f223d35b.exe 27 PID 1368 wrote to memory of 940 1368 a44404aac23672009dc1d835f223d35b.exe 27 PID 1368 wrote to memory of 940 1368 a44404aac23672009dc1d835f223d35b.exe 27 PID 940 wrote to memory of 572 940 yoznhk.exe 28 PID 940 wrote to memory of 572 940 yoznhk.exe 28 PID 940 wrote to memory of 572 940 yoznhk.exe 28 PID 940 wrote to memory of 572 940 yoznhk.exe 28 PID 940 wrote to memory of 572 940 yoznhk.exe 28 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1232 wrote to memory of 1660 1232 Explorer.EXE 29 PID 1660 wrote to memory of 952 1660 cmstp.exe 30 PID 1660 wrote to memory of 952 1660 cmstp.exe 30 PID 1660 wrote to memory of 952 1660 cmstp.exe 30 PID 1660 wrote to memory of 952 1660 cmstp.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe"C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"C:\Users\Admin\AppData\Local\Temp\yoznhk.exe" C:\Users\Admin\AppData\Local\Temp\qsruthgcsxr.a3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"3⤵PID:952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5f1ea13fa35de3f09b96364341d87d125
SHA18de2b74f3a5bbcb1ba8ced276904c7a47266a1a1
SHA256b21c98a92b9bbbf684de96fb96adbcd534368df3fdd7b615bc59e0b1685a8434
SHA5127e91642293d03ad05941ab5e1c464bc08197900001b61ddbd9d3f3445b5e1559d1e82ba1630634ec78701b2d508822585bb5cbfab80e07c33052401f7cff442e
-
Filesize
5KB
MD554b71333295fca6cf02f2b33fd820c76
SHA11b918d25d644d6aae65324fb77e50a3a2ee50147
SHA2565d44da7c885fc6d6a5f454a2e73c7409a5d5f434ea9984f39221750b75840442
SHA512095ebd5cac031872c9cb2328070c127ea7862140e9bc89421c4ce8ff17804dde88ccc330b79e709c17c61179bc7c8146420e734c8e512b5e82eede690fa5629b
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5