Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
118.rar
windows10-1703-x64
318/Packs-X...01.png
windows10-1703-x64
318/Packs-X...02.jpg
windows10-1703-x64
318/Packs-X...03.jpg
windows10-1703-x64
318/Packs-X...04.jpg
windows10-1703-x64
318/Packs-X...05.jpg
windows10-1703-x64
318/Packs-X...06.jpg
windows10-1703-x64
318/Packs-X...07.jpg
windows10-1703-x64
318/Packs-X...08.jpg
windows10-1703-x64
318/Packs-X...09.jpg
windows10-1703-x64
318/Packs-X...10.jpg
windows10-1703-x64
318/Packs-X...11.jpg
windows10-1703-x64
318/Packs-X...12.jpg
windows10-1703-x64
318/Packs-X...13.jpg
windows10-1703-x64
318/Packs-X...14.jpg
windows10-1703-x64
318/Packs-X...15.jpg
windows10-1703-x64
318/Packs-X...16.jpg
windows10-1703-x64
318/Packs-X...17.jpg
windows10-1703-x64
318/Packs-X...18.jpg
windows10-1703-x64
318/Packs-X...19.jpg
windows10-1703-x64
318/Packs-X...20.jpg
windows10-1703-x64
318/Packs-X...21.jpg
windows10-1703-x64
318/Packs-X...22.jpg
windows10-1703-x64
3Analysis
-
max time kernel
320s -
max time network
1609s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
16/04/2023, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
18.rar
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
18/Packs-XXX.online--01.png
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
18/Packs-XXX.online--02.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
18/Packs-XXX.online--03.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
18/Packs-XXX.online--04.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
18/Packs-XXX.online--05.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
18/Packs-XXX.online--06.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
18/Packs-XXX.online--07.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
18/Packs-XXX.online--08.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
18/Packs-XXX.online--09.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
18/Packs-XXX.online--10.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
18/Packs-XXX.online--11.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
18/Packs-XXX.online--12.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
18/Packs-XXX.online--13.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
18/Packs-XXX.online--14.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
18/Packs-XXX.online--15.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
18/Packs-XXX.online--16.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
18/Packs-XXX.online--17.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
18/Packs-XXX.online--18.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
18/Packs-XXX.online--19.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
18/Packs-XXX.online--20.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
18/Packs-XXX.online--21.jpg
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
18/Packs-XXX.online--22.jpg
Resource
win10-20230220-en
windows10-1703-x64
General
-
Target
18/Packs-XXX.online--01.png
-
Size
164KB
-
MD5
ffdd075b6fc4d7d2bda8b5361d01ded1
-
SHA1
150932e6f5e7a898b2aa463c9cd3d1e8138a4fdb
-
SHA256
0f0f0dfeeb98d504c36199d75986d924fe34fa32fda625b75ad815aeab44ae71
-
SHA512
ee17168a772866f916e57faf81b964491e65d96a464850d10a0572f2e085b9cb37f5a79d89b480fd642d9d5d15a631397d5f830494852f2bff1d78b2e85820b7
-
SSDEEP
3072:ILrd5rzDXMe1qQig/XlbwtryNx0+ii/TW+EhjwJlbq9f3R2lv6aqxXJdddvG:Ord5rzDXbigKtypigTHEhOtk3Mlv6N5W
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 244 4060 WerFault.exe 81 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31027338" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc00000000020000000000106600000001000020000000a55d6211c7885d924fd0c077e476aefd092b5032a57db185438a2abfefa36fd6000000000e8000000002000020000000eca257d895c847f23d39faa37d4a06458052a47ccc89d28c4c03b1c00172c521200000005c29d3d88e32d714693f83ec4a8f39d6f5bb4a2ef689a4380621ad5521cbdafc4000000015e1a8611148d07a7ce40446f04d490e8dc901116743985d895671db18d3d2587099c8c1b7416183ce398588b652d6c99cfec678f657b351c9a22514da2ad09f iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\LowRegistry PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc00000000020000000000106600000001000020000000f643591010b6deb00a33488f89fd6c0198188840aad7b135bee8b893945433ae000000000e800000000200002000000013c87d35e517fe2fd87f27aaddc7bbc42035cf85a5567dc50af37957bb757f12200000000193c1bea7e08e4a11b67ca16ba4db315ac88cb31994d34c6545216e8dc90cfa4000000086c10ebd423be2e08a29c08539c53f16ea7fe2ddcce1611a7ce5fd60d04b5f6a220ac9038e1731a75f05d859eb044bc1f0e7843381642346ce541c55b314ccda iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1544134571" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{877C5179-DC7D-11ED-9346-DED4330153B3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d54d5d8a70d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1544134571" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027338" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600c3d5d8a70d901 iexplore.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4060 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2240 mspaint.exe 2240 mspaint.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4060 PaintStudio.View.exe Token: SeDebugPrivilege 4060 PaintStudio.View.exe Token: SeDebugPrivilege 4060 PaintStudio.View.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5068 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5068 iexplore.exe 5068 iexplore.exe 2976 IEXPLORE.EXE 2976 IEXPLORE.EXE 2240 mspaint.exe 4060 PaintStudio.View.exe 4060 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2976 5068 iexplore.exe 72 PID 5068 wrote to memory of 2976 5068 iexplore.exe 72 PID 5068 wrote to memory of 2976 5068 iexplore.exe 72
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\18\Packs-XXX.online--01.png1⤵PID:2392
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4520
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WriteTest.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5068 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExportResize.jpeg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4060 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4060 -s 43962⤵
- Program crash
PID:244
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize233B
MD5dc256bc88faa450685866d13ea967c3a
SHA135124352d82c89e1eb46f767f5b6559e6e057d7d
SHA256e2775325a7aa9ca3077c1be6ad6b6e8ec35305073ebb791ac51bacf03bd840bc
SHA512487919b8718b694404b529d3b5698201b80f0536fcd6597d473be029f0ff789e45b3cfd442b84105e705c302b5f6770f5cec0a3c284598f2d3bb878a86c9b2a8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5