Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 14:15

General

  • Target

    b255d021f8154ff50c4d660af3d2add2.exe

  • Size

    57KB

  • MD5

    b255d021f8154ff50c4d660af3d2add2

  • SHA1

    95bd59977f59169796085fee6ee8ce16a88f0dc1

  • SHA256

    d765fe9a2d98bf50348be276eb608aefc9fefd360c98550569b874cf4f7846b7

  • SHA512

    6ae65532414baf189f15e90effc2ce340df3d68e4bedb5185a71ffe647b680bb00abf3c22d8dae999d33c912ec32c6d4dcbed97e0f9f392f4ac7c9a49283b01c

  • SSDEEP

    1536:y16Gj+WVFGsh8p8Txzn2yh/ofBFt5CBKma:kpjdFGE1n16OLa

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe
    "C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4960 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2916
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
          4⤵
            PID:3792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
            4⤵
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:4748
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
              5⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:4856
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
              5⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:3536
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
              5⤵
                PID:772
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
                5⤵
                • Modifies registry class
                PID:3604
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
                5⤵
                • Modifies registry class
                PID:1784
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1656
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1708
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
                5⤵
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:4024
                • C:\Windows\SysWOW64\runonce.exe
                  "C:\Windows\system32\runonce.exe" -r
                  6⤵
                  • Checks processor information in registry
                  • Suspicious use of WriteProcessMemory
                  PID:3688
                  • C:\Windows\SysWOW64\grpconv.exe
                    "C:\Windows\System32\grpconv.exe" -o
                    7⤵
                      PID:4268
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 D:\VolumeDH\inj.dat,MainLoad
                  5⤵
                    PID:4036
            • C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp
              C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3896
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp > nul
                3⤵
                  PID:2632
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B255D0~1.EXE > nul
                2⤵
                  PID:2120
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:4968

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\j7c4o4u\imagestore.dat

                  Filesize

                  1KB

                  MD5

                  76243e7defac3199a00e8c291c73a790

                  SHA1

                  08b3f4906687c90385e18c58862bdd6312c289ee

                  SHA256

                  54c7b42959deb4115cf98da16d0b98e048fff3c0868d40a57d06620b2447cffb

                  SHA512

                  6042a67f337fa0f499476c5556e46291e3904493ee42011de8b2fb2d21567c53b24157259fad84113336104afb81fdd245bb5d485a6541688eeb546445617841

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\suggestions[1].en-US

                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\favicon[1].ico

                  Filesize

                  1KB

                  MD5

                  7ef1f0a0093460fe46bb691578c07c95

                  SHA1

                  2da3ffbbf4737ce4dae9488359de34034d1ebfbd

                  SHA256

                  4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

                  SHA512

                  68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

                • C:\Users\Admin\AppData\Local\Temp\comeback_197.bat

                  Filesize

                  53B

                  MD5

                  23962a245f75fe25510051582203aff1

                  SHA1

                  20832a3a1179bb2730194d2f7738d41d5d669a43

                  SHA256

                  1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

                  SHA512

                  dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

                • C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp

                  Filesize

                  1.2MB

                  MD5

                  3d2492610c982c00c183be4f06dfc9de

                  SHA1

                  0ed4cced1b00c893efe924bc16cc1429fdc793e9

                  SHA256

                  b812174c1b53f53fd7406c0d0e3224adb2ad069e5a9f9159fb37f750ae0debd5

                  SHA512

                  390bdfe0c9eeca641c05872c6af56d2551f1c69af60b61943cf054709ab225a8458adf30c7d484a153b6effff4a0fb636942fe5de9620641b3e2caf78dd45744

                • C:\Users\Admin\AppData\Local\Temp\inl6FCE.tmp

                  Filesize

                  807KB

                  MD5

                  d90be79fa8940c4ffd039c6853d01a2b

                  SHA1

                  587e14407d07474592494c6d62faee0f865870a6

                  SHA256

                  ea3415e6ccc21f7d149662ef91154d74c530a5f6f38a3e5ca7f813ff58a01f37

                  SHA512

                  d009defea234a0f49761c816a881e77c3448c068b7e479a59ca901c99717fd4225894f042a487cd02e66765afe1d5c367904bbc477d5101937e7a897d1751b18

                • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

                  Filesize

                  660B

                  MD5

                  d980f89e4088711df685a0aa09e8f5a7

                  SHA1

                  dde805f4fa5e016e122e4240e20ff844113717d7

                  SHA256

                  28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09

                  SHA512

                  fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

                • C:\Users\Admin\AppData\Roaming\PPLive\1.bat

                  Filesize

                  3KB

                  MD5

                  286fe459674aef6eee17f6ac79a15fdb

                  SHA1

                  233dc43099c575a67b05fc1076e676324fd6e63d

                  SHA256

                  872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

                  SHA512

                  c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

                • C:\Users\Admin\AppData\Roaming\PPLive\1.inf

                  Filesize

                  492B

                  MD5

                  34c14b8530e1094e792527f7a474fe77

                  SHA1

                  f71c4e9091140256b34c18220d1dd1efab1f301d

                  SHA256

                  fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

                  SHA512

                  25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

                • C:\Users\Admin\AppData\Roaming\PPLive\2.bat

                  Filesize

                  3KB

                  MD5

                  d4917ae9072a10d8e12ef3b282b25b3b

                  SHA1

                  bd9ec6c6395997525ec7c15ecca2f115573cc14c

                  SHA256

                  6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

                  SHA512

                  c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

                • C:\Users\Admin\AppData\Roaming\PPLive\2.inf

                  Filesize

                  247B

                  MD5

                  ca436f6f187bc049f9271ecdcbf348fa

                  SHA1

                  bf8a548071cfc150f7affb802538edf03d281106

                  SHA256

                  6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

                  SHA512

                  d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

                • C:\Users\Admin\AppData\Roaming\PPLive\4.bat

                  Filesize

                  16KB

                  MD5

                  3d15c5ef21f90fffe50d88e328584702

                  SHA1

                  443ef8619f38810b1ad6a98a2d1d15fca492ce71

                  SHA256

                  276b7329bfafa86a50364795b7182431b27034731350c88012290b78c56b05da

                  SHA512

                  3e844392223c684ba4ff4e8b67b091f2ad9ec64bf7484639c488b9c44bd6741376678574c402f2effc960525f3e739eb4ebb0a2493471a42356382018f5852e7

                • C:\Users\Admin\AppData\Roaming\PPLive\╟º═┼═┼╣║.url

                  Filesize

                  20B

                  MD5

                  f14a9f1417503c7dc1dd6759de850312

                  SHA1

                  2647c9cfe611b033824c3998b9e17a69eb7a8d65

                  SHA256

                  8c05d3fb956dac02702a9377d361116e2ad6b2f079e36ada56df98d240cc3d96

                  SHA512

                  677fbe17bd9b318a69aed59af3b81a340cdddbe430e34f7d15b02f279118be65a2c7b7b30618bd8d0331de60d7f15de0e0864c3ed7fb90eef6eeac3187d9c3c1

                • memory/3396-9-0x0000000001450000-0x0000000001453000-memory.dmp

                  Filesize

                  12KB

                • memory/3396-110-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

                  Filesize

                  156KB

                • memory/3396-0-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

                  Filesize

                  156KB

                • memory/3396-5-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

                  Filesize

                  156KB

                • memory/3396-1-0x0000000001450000-0x0000000001453000-memory.dmp

                  Filesize

                  12KB

                • memory/4960-76-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-111-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-79-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-83-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-85-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-86-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-87-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-89-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-90-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-91-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-92-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-78-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-77-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-99-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-102-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-103-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-104-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-74-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-108-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-109-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-73-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-80-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-112-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-113-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-117-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-118-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-119-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-127-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-72-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-129-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-134-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-136-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-138-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-137-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-139-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-141-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-143-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-175-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-176-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-177-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-179-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-71-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-69-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB

                • memory/4960-68-0x00007FF9FB060000-0x00007FF9FB0CE000-memory.dmp

                  Filesize

                  440KB