Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2024, 15:39
Behavioral task
behavioral1
Sample
zbi.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
zbi.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
zbi.exe
-
Size
146KB
-
MD5
6edfb62405f50d7fb16882ca9b16ed36
-
SHA1
73c346267e9527ca5886bf8a90b77f9ebceb58fe
-
SHA256
315d043b99f988ce9d9f69d7225292eb44623a97c1a029933b62ede699fa9f13
-
SHA512
b3ea04a001c846af5d93435db055986a448fc5d01e86a9292937ce085609b653d41719111d2d031c8b6694eb01d5856e86f9e1a65e8cdc43af51a8ed3d370d2f
-
SSDEEP
3072:PqJogYkcSNm9V7DGoNK696RTpfnEsCygHQlyT:Pq2kc4m9tDHNK6UlJ9CyN
Malware Config
Signatures
-
Renames multiple (651) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C218.tmp -
Deletes itself 1 IoCs
pid Process 2852 C218.tmp -
Executes dropped EXE 1 IoCs
pid Process 2852 C218.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini zbi.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini zbi.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPxbml126yedg20b2a8um0d9b5c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPmq0x4s0umb__tzkhrpv_ixt2.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP9aox2yx_twdenobs7cguv7e5.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2852 C218.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C218.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe 2044 zbi.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp 2852 C218.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeDebugPrivilege 2044 zbi.exe Token: 36 2044 zbi.exe Token: SeImpersonatePrivilege 2044 zbi.exe Token: SeIncBasePriorityPrivilege 2044 zbi.exe Token: SeIncreaseQuotaPrivilege 2044 zbi.exe Token: 33 2044 zbi.exe Token: SeManageVolumePrivilege 2044 zbi.exe Token: SeProfSingleProcessPrivilege 2044 zbi.exe Token: SeRestorePrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSystemProfilePrivilege 2044 zbi.exe Token: SeTakeOwnershipPrivilege 2044 zbi.exe Token: SeShutdownPrivilege 2044 zbi.exe Token: SeDebugPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeBackupPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe Token: SeSecurityPrivilege 2044 zbi.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE 3524 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2044 wrote to memory of 4032 2044 zbi.exe 94 PID 2044 wrote to memory of 4032 2044 zbi.exe 94 PID 1292 wrote to memory of 3524 1292 printfilterpipelinesvc.exe 99 PID 1292 wrote to memory of 3524 1292 printfilterpipelinesvc.exe 99 PID 2044 wrote to memory of 2852 2044 zbi.exe 100 PID 2044 wrote to memory of 2852 2044 zbi.exe 100 PID 2044 wrote to memory of 2852 2044 zbi.exe 100 PID 2044 wrote to memory of 2852 2044 zbi.exe 100 PID 2852 wrote to memory of 2632 2852 C218.tmp 101 PID 2852 wrote to memory of 2632 2852 C218.tmp 101 PID 2852 wrote to memory of 2632 2852 C218.tmp 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\zbi.exe"C:\Users\Admin\AppData\Local\Temp\zbi.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4032
-
-
C:\ProgramData\C218.tmp"C:\ProgramData\C218.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C218.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1596
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{14EADDA0-16F1-4337-AFEB-A7100AD0D645}.xps" 1336829635946600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a9cb06e7c620a29fde7a3e0d91470c0f
SHA1cbec543c0c58101efb143027074891098bfe56be
SHA2564ffc92681a1c16d0bf8cbbe1a058fc1747b3ef574f409a43c93dc9952766eb6a
SHA512696f7324d27701b68cceee6d0ae6e8530d49d5e053b3c33a773695fec00caeb9957fd832083838b9fa9414d016a0a7ebdb65d9bc61ff28660cd36c4449d31ea5
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD50b19b21245172d4eab1f7f045dffb36f
SHA1ee713cad2296f773709d36ecd4f78aa64d4e794c
SHA2565e7b5c63c6cdf8c5fbe1c6754340896ebfb9720a4ef8d3b4cd9bb8d88f266211
SHA512028b382d549ff3a696646ffd186203d68f49636b4871176e4f83395434523ce273f2777245171abf33c34861cf3fbe878f2df2568b9dfe5454bc3a0c6a541459
-
Filesize
4KB
MD53a422e6cbba4c58c9b8d62128394f347
SHA13a12a811eb5819b30d9da3f4ec7141fafd4997e0
SHA2565ad10db06bd89eda66e0bc5c8c796f13d2a53c095973d68919083c4f9c2eead4
SHA512ca826d491ff8d94282f51872aa0c9bb5e2d6163ae7987be80b1e4b71f2ec08783fb53c4cb67718e1c2e978e2d806beac99a7c5fd80d94f1c8fc7152a2858230b
-
Filesize
4KB
MD5253c6451ab11d00b907306d38569c3da
SHA1e8718b8c79db2c84900ec71283d9f9068f4be68e
SHA256c807056cdb90703a08e52df8f8dc713bdd929d391ef6ac59d4656f09260793e3
SHA51287633e60e828fecd21c822cdeb927a83ad13f35ccfaf2ae25ec2c5122607312858b282ebbd12da1036e7f088c04ae03ad23a2fcff40c452097d12b212944c5f8
-
Filesize
597B
MD58b868d53629149c6b3a461ff64ce8cef
SHA1b8a0b57cfe78c6d8468bdd5ef52411765a456e41
SHA2565f8d2cdb81cac5d0b7df3bae0634042b305b4ac7ad06c728b21df0ea9628da25
SHA5122fbb224b435621bc8947caf5aa4e294725f7df1c79dfaae1674086c8e92fcdb106d734680ac58e02b112613c778b582b2eaa8e6979dc1d75dc1dccab54f7c337
-
Filesize
129B
MD5c269792abec9f6199c4b20aa9d7d125b
SHA174c3603939ad113d304ecb9df2b7c4b7eac5c4b1
SHA256fb3d82b1bef9881a1d3860506babb1c8e718b40812c45d5de1693ca288196c29
SHA5120f687e37e0ca389abe2ae32e28ee3e801b0d8b51a9f8e483f4912a30146a78eca7f675d80a5b3d7dd619db032a656ab3ed04c0937268498f30404e1b115ea334