Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
70FF1C3 202...ll.exe
windows7-x64
70FF1C3 202...ll.exe
windows10-2004-x64
0FF1C3 202...up.exe
windows7-x64
10FF1C3 202...up.exe
windows10-2004-x64
70FF1C3 202...pp.exe
windows7-x64
10FF1C3 202...pp.exe
windows10-2004-x64
10FF1C3 202...00.dll
windows7-x64
30FF1C3 202...00.dll
windows10-2004-x64
30FF1C3 202...pp.exe
windows7-x64
10FF1C3 202...pp.exe
windows10-2004-x64
10FF1C3 202...00.dll
windows7-x64
30FF1C3 202...00.dll
windows10-2004-x64
3Analysis
-
max time kernel
114s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2023, 14:46
Behavioral task
behavioral1
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/OInstall.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/OInstall.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/setup.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x64/cleanospp.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x64/cleanospp.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x64/msvcr100.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x64/msvcr100.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral9
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x86/cleanospp.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x86/cleanospp.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x86/msvcr100.dll
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/x86/msvcr100.dll
Resource
win10v2004-20230220-en
General
-
Target
0FF1C3 2021 - by Diekrolo/M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M/files/setup.exe
-
Size
7.0MB
-
MD5
072a2efea576956e465aff2492a1c7f4
-
SHA1
c7ae89bf444a33d9d92584df62e16e518942b31d
-
SHA256
ee3875abd5d49a1891c8818820f61a1e5d0382df37b5a5b72e175b2b6c70a9c2
-
SHA512
5b4f4a4508d042c7554369729ca40cb16ed61f63a41996bf8689a17d0939fc95834a44e54833e50291b26df4d2f0d2877a6272039b3fc0b20dabc885eecc87eb
-
SSDEEP
98304:4RimgRP8n5KSBHSFDd0t2M69XpiSLMmSCh+kB63QcJ11PaKLkhd2S6amwY2hk4:rmmGmDd0tMXHMmXh+kBuhJ1IDYS6amWT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation setup.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer setup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3068 powershell.exe 3068 powershell.exe 1200 powershell.exe 1200 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3648 setup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3648 wrote to memory of 3068 3648 setup.exe 86 PID 3648 wrote to memory of 3068 3648 setup.exe 86 PID 3648 wrote to memory of 3068 3648 setup.exe 86 PID 3648 wrote to memory of 1200 3648 setup.exe 92 PID 3648 wrote to memory of 1200 3648 setup.exe 92 PID 3648 wrote to memory of 1200 3648 setup.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0FF1C3 2021 - by Diekrolo\M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\0FF1C3 2021 - by Diekrolo\M1CR0S0F7 0FF1C3 2021 (LICENCIA PERPETUA) -S.M\files\setup.exe"1⤵
- Checks computer location settings
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD595201d9e44c732d9b261b4b334505d6b
SHA1d5f3f499ef27920d8a614152191a7e0c2f9c0264
SHA256baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669
SHA51215ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282
-
Filesize
18KB
MD5e00a3e8635b0ce783692b98b67959cc8
SHA10b671ce63a0b8578d499a2fa01f50230f8ebbe83
SHA25610d1543e6c61cef1e4a278ee3ebc4c727d52a4bce11bf32eeb2a4eb89a7cf87c
SHA512ce9d3983abcfe388a8ff1e9e6087b5c61130627fe009f6f0de42f444624dec2dc15cee11705aba9ca5b6805bb05611e7eb94dacfca8520b3ca926361be6b6493
-
Filesize
26B
MD5bd3457e50947d4280734e74b51b5b68d
SHA1424635c6b5622a6c01a59d290a1c9ab8e593effc
SHA25623d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5
SHA512e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb
-
Filesize
26B
MD5bd3457e50947d4280734e74b51b5b68d
SHA1424635c6b5622a6c01a59d290a1c9ab8e593effc
SHA25623d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5
SHA512e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82