Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5b22ffad0a...6b.exe

windows7-x64

7

5b22ffad0a...6b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    11s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2024, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b22ffad0a238d71952d60010852386b.exe

  • Size

    442KB

  • MD5

    5b22ffad0a238d71952d60010852386b

  • SHA1

    031e873003ac4380004269b6f22d2dfc1581bacd

  • SHA256

    a88b53bcd90870eccd0429e4232ce4b4eb11745117248397fa4d40a8d85d0e8e

  • SHA512

    d57b20b531e6a0a1a78f4571d129a126e949ad71c9f3385164f83436818d74cfa00cfb8c084407e3b616d9627d3e9767ddfbbe78358d7b75bb812f2e8e8de68d

  • SSDEEP

    12288:w61aABLUzgOw6UVnYtsAXejgrqHUvZmVxF2:LpVaUVnYtsAu8u1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b22ffad0a238d71952d60010852386b.exe
    "C:\Users\Admin\AppData\Local\Temp\5b22ffad0a238d71952d60010852386b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\ime\125.bat
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im ksafetray.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
      • \??\c:\windows\ime\rar.exe
        "c:\windows\ime\Rar.exe" e -y -ping c:\windows\ime\usbhard.rar c:\windows\ime\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4956
      • \??\c:\windows\ime\systen.exe
        c:\windows\ime\systen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\windows\ime\ok1.bat
          4⤵
            PID:2352
            • \??\c:\windows\web\lsoss.exe
              c:\windows\web\lsoss.exe
              5⤵
                PID:5044
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\windows\ime\00.vbs"
            3⤵
              PID:2204
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R g:\setprter
              3⤵
              • Views/modifies file attributes
              PID:1820
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R h:\setprter
              3⤵
              • Views/modifies file attributes
              PID:408
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R h:\~1
              3⤵
              • Views/modifies file attributes
              PID:884
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R g:\~1
              3⤵
              • Views/modifies file attributes
              PID:2232
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R f:\setprter
              3⤵
              • Views/modifies file attributes
              PID:4680
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R f:\~1
              3⤵
              • Views/modifies file attributes
              PID:2204
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R e:\setprter
              3⤵
              • Views/modifies file attributes
              PID:2740
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R e:\~1
              3⤵
              • Views/modifies file attributes
              PID:980
            • C:\Windows\SysWOW64\attrib.exe
              attrib +H +R d:\setprter
              3⤵
              • Views/modifies file attributes
              PID:4492
            • C:\Windows\SysWOW64\attrib.exe
              attrib -H -R d:\~1
              3⤵
              • Views/modifies file attributes
              PID:4516
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\11a.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4364
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              3⤵
              • Runs ping.exe
              PID:4560
            • C:\Windows\SysWOW64\attrib.exe
              attrib -S -H c:\ma.exe
              3⤵
              • Views/modifies file attributes
              PID:3108
        • C:\windows\ime\rar.exe
          "C:\windows\ime\Rar.exe" e -y -ping C:\windows\ime\ok.rar c:\windows\web\
          1⤵
            PID:980
          • C:\Windows\system32\wbem\scrcons.exe
            C:\Windows\system32\wbem\scrcons.exe -Embedding
            1⤵
              PID:4488
              • C:\Windows\IME\systen.exe
                "C:\Windows\IME\systen.exe"
                2⤵
                  PID:2868
                • C:\Windows\IME\systen.exe
                  "C:\Windows\IME\systen.exe"
                  2⤵
                    PID:3184

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\11a.bat
                  Filesize

                  226B

                  MD5

                  c5b668ed624cf3fcd5e6b033b1afe672

                  SHA1

                  836df8c8b2bc10a26ef0fa8c1720447be9600ab7

                  SHA256

                  c10007d28ae7e188900a52b4b30a1e3392440dce1a5264c442a53b4ba35b581f

                  SHA512

                  274d894a64fc1ed3d3c82dccb5418e6e83ec94ad43a4ebd7101cf1dedcbf92366ff2714ab5123a2f1623cea137268377f9e3268fb4e757dfa9de61802494c671

                  Download Submit

                • C:\Windows\IME\00.vbs
                  Filesize

                  57KB

                  MD5

                  12149987af581b174ffd2a6cdfe3381b

                  SHA1

                  0c5c2cb3014b1c730bf9fcc2338abbb1c0528ed1

                  SHA256

                  11009a1bd14dda33b937aa4904d739025d2d98c5f05e1235d9f531d4f6812ce9

                  SHA512

                  d3ffe1675b4fda94400c44caf73ed443ea88fca8cd96fefd10a1cb6f8e79f3b3654789a36b860620b3b33863c3245e9f15bd43e82087f242b1f02f4a1dc5999e

                  Download Submit

                • C:\Windows\IME\rar.exe
                  Filesize

                  310KB

                  MD5

                  0a5680183c0089a64621e211917664d8

                  SHA1

                  8525d73c99e28413e97a094c99950e1806786246

                  SHA256

                  c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

                  SHA512

                  b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

                  Download Submit

                • C:\Windows\IME\systen.exe
                  Filesize

                  104KB

                  MD5

                  4d60faf0ab503e00d0470d21a018109d

                  SHA1

                  d4e47f6a1b8e6c40cac91f683c0d1dfa0161c364

                  SHA256

                  ec61669f8c6e1cccf1a2ee6dfca852a73b05c7f1ca9dd974e2af1525dbfc0d55

                  SHA512

                  ebfcaa50899be339a4bef98e60274c4ce338c835028bdbaa08ab481dfe2798b13fe9691dc4ad35b2b90ca31feeca2919dc6b89db9ec27294d958b999af4d6e64

                  Download Submit

                • C:\Windows\IME\systen.exe
                  Filesize

                  669KB

                  MD5

                  3e5c5570bdd844ac8737629281158480

                  SHA1

                  25915fa51c4d3f2826c024a53195bc188158aca0

                  SHA256

                  a272adfd6d8c3a19937cb79216decd88dc88aa80b2cd29cbf1fdc0b52104beaa

                  SHA512

                  3ea8478f4a2a38eecd35216245e1eaa1c0f1e0dffb479cd82d4adefaee672c48a14a85fcdf3e3ba57414f85828cf6cb25f2540c61b85d501c2aeceb62af0a572

                  Download Submit

                • C:\Windows\IME\systen.exe
                  Filesize

                  610KB

                  MD5

                  7cc94161e6eff8ff71fc4632a7f29402

                  SHA1

                  154a27333872761f2da366dd1c19f71c515d1167

                  SHA256

                  e2a82289fc05abb5ed9adafe07e5ccdf246e87dd670765d358e87c98702d0dc6

                  SHA512

                  d002b54f6df78d519847914a3cd9872ec6f8ed02eb8df5b169d41d3cd8a8e7fe2453cc2edb505ded791573cbbe9f386513e2be19787b8b830d763c32ce66004f

                  Download Submit

                • C:\Windows\Web\lsoss.exe
                  Filesize

                  263KB

                  MD5

                  1a7e3aaa48236b6f5f708cc2ec581205

                  SHA1

                  c691ac732c4d6eef86890db83a1c514a3c9c9183

                  SHA256

                  4a4145eab5f0b6665b2e42dab1b2b20779e9d8d9bac2774c11cff0c69adf13f3

                  SHA512

                  d8bc86254db09ed73c9621d5267f28bbbb454df25e50c9602870a4d984bc37f74fc4b17b1f26605f1a9cf88f8334700c6164c64635bd13ea9ad50726cb8e9aa7

                  Download Submit

                • C:\windows\ime\00.vbs
                  Filesize

                  391KB

                  MD5

                  8057f88dd672fa05e5e5dbeacdcd0737

                  SHA1

                  8492baf32833d00fa6ea8a412d3999342300b8e1

                  SHA256

                  70eee972629390ee0466efdb166ccc26e6a8d3946ca2b619aefcd363b9a608cf

                  SHA512

                  dceee583e8ff8aaf847dcb32f707ed1f0ddeafd1a94d036c0af7990f994e72d0ae9ea1a62ca9eafbe86679c54d2f1bc6ce88d12a326f98452769eeaac9af88e7

                  Download Submit

                • C:\windows\ime\md5.txt
                  Filesize

                  806B

                  MD5

                  b871fe74597f5cb4116bc4075633c8b1

                  SHA1

                  6517e5738579d67dcb09bc0e25fab0f6b723d7e4

                  SHA256

                  48ce1c40121e71173d2d5908d2c6d76e66704679a2106e0b1d5ca7b32ad00b0a

                  SHA512

                  6900c7858c4a559cce7bf39648e7a671d3b8a96d46fd0a295aac8fd70d353ed4bc5d5da47620a140bc2cfd2e21d15b977059ce9a9712fcaba17367eb4d39a3b2

                  Download Submit

                • C:\windows\ime\ok.rar
                  Filesize

                  266KB

                  MD5

                  0e613f2d4f256de6a97d4fb2dfddd2a6

                  SHA1

                  46a040447ba9887a99cdafeb636bee9d89341b09

                  SHA256

                  7beb29fefc719dd8c93484a44e92c7e765383cf8df9df9c29ca6fa745d53e074

                  SHA512

                  0c7e88e2142ef936fea918fc485122330842a1c743632b96feecfc04a5918ba76d311575e5defe25ba63bb2047311b3f53035fd76497523ec4339d051c6b2050

                  Download Submit

                • \??\c:\windows\ime\00.txt
                  Filesize

                  142KB

                  MD5

                  a2dd00710d7cd43c8c47b45f34e8b44f

                  SHA1

                  48606ae8607995e286340a14b131bf0c34fd214d

                  SHA256

                  7f305c00470fb2a7c5692e13597dd6a29a92aee2adb3d7234b8e0042ed8cedc1

                  SHA512

                  b05ff16b94d74d7051a68d035131e22812ce6ae0ddaefb9f3aae8eea13858c7f86e7c0204b4b2fc5639bd766af425ed84f051cea04ccf9f95ddb23b2adca35a5

                  Download Submit

                • \??\c:\windows\ime\125.bat
                  Filesize

                  1KB

                  MD5

                  035e07735205d1aac8c9553c957c1feb

                  SHA1

                  e9dc50bc762882a63a1d3a20642b6f32113a5b96

                  SHA256

                  b4eec69f711d4b18ea51a888a5aeb6698842a727f0ed2e749e0740e57094bdb5

                  SHA512

                  cf3abfd74dd3347970b233e6f44e77585699dd50abf10cebd0e4e17ff9be2f22fad8a29dc367b363e8f0577fba400ce3d4e2195f3f0a1f4e5653ec21fed72024

                  Download Submit

                • \??\c:\windows\ime\ok1.bat
                  Filesize

                  360B

                  MD5

                  f38e24920e7c9520b8f5e37a6509a5be

                  SHA1

                  fb5bc29edad40738582917711458e146e417e125

                  SHA256

                  ef8e7af75bb2f474d9a7df2ebec6bbe7d22ebd848f95cc1f26a23a0f20fa1cdd

                  SHA512

                  5f57dac2f0125ef2d7feb480b57a93440344199972cdcf154799837c004eaf7abcdacc35fa258fd1515499539e0a4c023dac4875eec6dc4d2b7cda26bc068800

                  Download Submit

                • \??\c:\windows\ime\systen.exe
                  Filesize

                  269KB

                  MD5

                  10c19212478e4e7558b8581020a60631

                  SHA1

                  5864c402941f87c8666cacb73154d932ac654684

                  SHA256

                  1e34f27d5d063e5a83210fa75c826370cc71cfc66b3833737ec75901112ef2cf

                  SHA512

                  8118151eb31b37315f697e05e16f129b4a1e6af93868c2bbf55c415ebda61cdd1d7a7925656d2ae4145786562c80a2c7aedb9158816438e0cfe46ee26fd7dc7b

                  Download Submit

                • \??\c:\windows\ime\systen.txt
                  Filesize

                  2.4MB

                  MD5

                  7dcac5ed19ded29e3800920881c4868a

                  SHA1

                  49778397e3c9186884b016f77af09aca1118f50d

                  SHA256

                  1bbf2bca25ebd0f0d0d65566d37312d8197332c6b0b74da1bb245c8da2c5d39a

                  SHA512

                  67b330125c22ca8f98da3111652e518aa9bc6fbc1c5b5491f670d6c758b0842d00f21c33085c2c2301e29a35ca1b425ff9e228689f05b28877958f6b52d841a0

                  Download Submit

                • \??\c:\windows\ime\usbhard.rar
                  Filesize

                  5KB

                  MD5

                  394fae3c2a908e0a9d7a5b1ff1fea0d1

                  SHA1

                  b9f3332acfa58b401f35fc3aa4aaee23fcdb91ae

                  SHA256

                  c61298d4c55156a95e61522a3f0bd0f381eec23455c73005f1e0133d01fe1d72

                  SHA512

                  308fb917051e8792741852e0d74a955ea0b3b7e75219c0a43e17cfef7e57a2d48dc5cf4ea76f7de404f0f5d0ece4bd7df267762a215bcc594f8c80f733f105fa

                  Download Submit

                • \??\c:\windows\web\lsoss.exe
                  Filesize

                  358KB

                  MD5

                  0c3e631a8bacf7dba786085a62fd332c

                  SHA1

                  5f0cae565140a570eb230a04f0a3112666c503f4

                  SHA256

                  7899f52d1a62cb2137bd95c6c828c371bcc21143b21c1edef02503203b723d0d

                  SHA512

                  ebadd38c5d3e187277d4faaf84bf94e9bc44fb788e05c964df9be0867703576c3936e1a6a93f8ac6432419ca497bf802548b64705271ede9bca4ae1a3322143f

                  Download Submit

                • \??\c:\windows\web\lsoss.txt
                  Filesize

                  354KB

                  MD5

                  177468e1b59e2b56264047795cddd88c

                  SHA1

                  d070fd60f1ffcececc6c2b6d3321e77f7ec00b72

                  SHA256

                  b59b82cb4d39181d9beb116407222cb9688650f6ef25bcbcff4e9ff3d92af17b

                  SHA512

                  c754dcaa500ae858504c70274b3037af78358d5dcf1c724055217e35ef90ccaa66ae213fb7f2f5e47eee86ac318a4f32969e8ecc696ba13fd4fcf4e8891401a9

                  Download Submit

                • memory/980-49-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                  Download

                • memory/3572-26-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/3572-0-0x0000000000400000-0x00000000004A2000-memory.dmp

                  Filesize

                  648KB

                  Download

                • memory/3572-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

                  Filesize

                  12KB

                  Download

                • memory/4956-20-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                  Download

                • memory/5044-59-0x0000000002210000-0x0000000002211000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5044-57-0x0000000000400000-0x00000000004B7000-memory.dmp

                  Filesize

                  732KB

                  Download

                • memory/5044-58-0x0000000000620000-0x0000000000621000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5044-60-0x0000000000400000-0x00000000004B7000-memory.dmp

                  Filesize

                  732KB

                  Download

                • memory/5044-61-0x0000000000620000-0x0000000000621000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5044-63-0x0000000002210000-0x0000000002211000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5044-71-0x0000000000400000-0x00000000004B7000-memory.dmp

                  Filesize

                  732KB

                  Download

                • memory/5044-72-0x0000000000400000-0x00000000004B7000-memory.dmp

                  Filesize

                  732KB

                  Download