Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
5f9127245473fbfdab735869bce40d88.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5f9127245473fbfdab735869bce40d88.exe
Resource
win10v2004-20231222-en
General
-
Target
5f9127245473fbfdab735869bce40d88.exe
-
Size
484KB
-
MD5
5f9127245473fbfdab735869bce40d88
-
SHA1
4960afd3e5e88ec967973248b93b97a4743fa5d1
-
SHA256
9bff283edf384a62a8aab5d2827b1c8fd4514746fc7f2c3ce688a34b419a1a86
-
SHA512
4299e96e65b96b78bb84896c84fadcf321c7afff31b926988ca2ea0478f61724f015ac583b5a19bab6d3f3ae35a56cf31749478cb13ae8e5011e35438046f4b1
-
SSDEEP
12288:hoUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:R92ILECd0R15XZS3QafpDNUQ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LB9c4j3K.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jiizob.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation LB9c4j3K.exe -
Executes dropped EXE 7 IoCs
pid Process 4516 LB9c4j3K.exe 1496 jiizob.exe 4892 aahost.exe 4288 aahost.exe 4940 bshost.exe 532 dyhost.exe 392 ekhost.exe -
resource yara_rule behavioral2/memory/4288-52-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4288-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4288-50-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4288-47-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /G" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /k" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /d" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /e" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /i" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /O" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /S" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /g" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /H" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /V" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /Z" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /X" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /B" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /d" LB9c4j3K.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /C" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /m" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /x" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /y" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /K" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /p" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /u" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /f" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /F" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /q" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /r" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /s" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /v" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /N" jiizob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jiizob = "C:\\Users\\Admin\\jiizob.exe /t" jiizob.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4892 set thread context of 4288 4892 aahost.exe 94 PID 4940 set thread context of 2792 4940 bshost.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 392 tasklist.exe 4720 tasklist.exe 4912 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4516 LB9c4j3K.exe 4516 LB9c4j3K.exe 4516 LB9c4j3K.exe 4516 LB9c4j3K.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 4288 aahost.exe 1496 jiizob.exe 1496 jiizob.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 392 tasklist.exe Token: SeDebugPrivilege 4940 bshost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3120 5f9127245473fbfdab735869bce40d88.exe 4516 LB9c4j3K.exe 1496 jiizob.exe 4892 aahost.exe 532 dyhost.exe 392 ekhost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3120 wrote to memory of 4516 3120 5f9127245473fbfdab735869bce40d88.exe 26 PID 3120 wrote to memory of 4516 3120 5f9127245473fbfdab735869bce40d88.exe 26 PID 3120 wrote to memory of 4516 3120 5f9127245473fbfdab735869bce40d88.exe 26 PID 4516 wrote to memory of 1496 4516 LB9c4j3K.exe 99 PID 4516 wrote to memory of 1496 4516 LB9c4j3K.exe 99 PID 4516 wrote to memory of 1496 4516 LB9c4j3K.exe 99 PID 4516 wrote to memory of 4896 4516 LB9c4j3K.exe 98 PID 4516 wrote to memory of 4896 4516 LB9c4j3K.exe 98 PID 4516 wrote to memory of 4896 4516 LB9c4j3K.exe 98 PID 4896 wrote to memory of 392 4896 cmd.exe 96 PID 4896 wrote to memory of 392 4896 cmd.exe 96 PID 4896 wrote to memory of 392 4896 cmd.exe 96 PID 3120 wrote to memory of 4892 3120 5f9127245473fbfdab735869bce40d88.exe 95 PID 3120 wrote to memory of 4892 3120 5f9127245473fbfdab735869bce40d88.exe 95 PID 3120 wrote to memory of 4892 3120 5f9127245473fbfdab735869bce40d88.exe 95 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 4892 wrote to memory of 4288 4892 aahost.exe 94 PID 3120 wrote to memory of 4940 3120 5f9127245473fbfdab735869bce40d88.exe 93 PID 3120 wrote to memory of 4940 3120 5f9127245473fbfdab735869bce40d88.exe 93 PID 3120 wrote to memory of 4940 3120 5f9127245473fbfdab735869bce40d88.exe 93 PID 4940 wrote to memory of 2792 4940 bshost.exe 100 PID 4940 wrote to memory of 2792 4940 bshost.exe 100 PID 4940 wrote to memory of 2792 4940 bshost.exe 100 PID 4940 wrote to memory of 2792 4940 bshost.exe 100 PID 3120 wrote to memory of 532 3120 5f9127245473fbfdab735869bce40d88.exe 102 PID 3120 wrote to memory of 532 3120 5f9127245473fbfdab735869bce40d88.exe 102 PID 3120 wrote to memory of 532 3120 5f9127245473fbfdab735869bce40d88.exe 102 PID 3120 wrote to memory of 392 3120 5f9127245473fbfdab735869bce40d88.exe 111 PID 3120 wrote to memory of 392 3120 5f9127245473fbfdab735869bce40d88.exe 111 PID 3120 wrote to memory of 392 3120 5f9127245473fbfdab735869bce40d88.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f9127245473fbfdab735869bce40d88.exe"C:\Users\Admin\AppData\Local\Temp\5f9127245473fbfdab735869bce40d88.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\LB9c4j3K.exeC:\Users\Admin\LB9c4j3K.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4896
-
-
C:\Users\Admin\jiizob.exe"C:\Users\Admin\jiizob.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
-
C:\Users\Admin\bshost.exeC:\Users\Admin\bshost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2792
-
-
-
C:\Users\Admin\aahost.exeC:\Users\Admin\aahost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
-
-
C:\Users\Admin\dyhost.exeC:\Users\Admin\dyhost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:532
-
-
C:\Users\Admin\ekhost.exeC:\Users\Admin\ekhost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe3⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 5f9127245473fbfdab735869bce40d88.exe2⤵PID:3364
-
-
C:\Users\Admin\aahost.exe"C:\Users\Admin\aahost.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:392
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
PID:4720
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
PID:4912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD55fc8235bf7463fc8dc2dbfbc5071487b
SHA1e8d816dc0fb397484883c13a48208508ccf73519
SHA256bd16d2f2758c6e5b79e2fe9255412c1691c0c23deeed52779fdf7a9600abf277
SHA5120f78d9897584b3f4ca2629bdfad0d95830521235e933cfc780e60a6fcec6c2f4a80a1816f28aa33457ebeffbf887510e3ffc9037a1284e3a47f4e6bb88b36bdf
-
Filesize
764KB
MD5e381b04abf596ed1573154cd41f418dc
SHA12ad1df7bebf1e4c0715adbf76c8c14b9162edf2e
SHA25602b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6
SHA51244307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858
-
Filesize
24KB
MD59fe0e5252dc24fc1788b0d8b26026807
SHA121e3063a0fac1157b9707861048c5f7fbd070ceb
SHA2569c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40
SHA512613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c
-
Filesize
92KB
MD52812aff3bc179ef18e550ea16f5af933
SHA1ee409fd42b7d44eeb284fe93a3a2127c7a5cc0ed
SHA256948363a98a1aa03c9c593029f6f6a54156589c4681fd88c157da9c87d2ad0f78
SHA5126375096e708fff88019679bb215b074e47f58eab67fe51e9d64e4d62839534a74a05def573c47d8f8964f19fb7deaa60997d8420c1fd51279f828fa2129fbb3f