Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
18s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Errors
General
-
Target
encoder2.exe
-
Size
328KB
-
MD5
3ef478a7c898e91f09385da44555d986
-
SHA1
07c1f289891b59892ae45253ffdc969f11267ac5
-
SHA256
1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4
-
SHA512
e67b411fbc1a05a6482b03d8320fad0bd08836c5fa651b435473ee3233bb62240c1ffaab1ede7f58fee9eee70f4e313a230411a143495e2d30826546148cd4d1
-
SSDEEP
3072:uhl75wtMO7RTbcA6Ao7A75PeunlG7m//5/vZ/5TVk5ixJNe4yg6bMtJWPhyhMvcc:E5sRXcTAmEFRJ/525caYzfpCHFc8j
Malware Config
Signatures
-
Renames multiple (2236) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\LICENSE encoder2.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png encoder2.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt encoder2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt encoder2.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Common Files\System\en-US\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub encoder2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png encoder2.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat encoder2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK encoder2.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\DECRYPT_INFORMATION.html encoder2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL encoder2.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf encoder2.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar encoder2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encoder2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\encoder2.exe"C:\Users\Admin\AppData\Local\Temp\encoder2.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3276
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xmlHRM
Filesize3.3MB
MD5baa7e124a7cf551affff7f856b76e9a7
SHA1d3d64ffca3d12881d3230833214ef5e6e2d84689
SHA256131ca81bcbef337460f12ebdf35320dc309a390da8ccba31ddac378b98e315e4
SHA5126a724c81a2295ad4c792bd64b7b4ac110f34735b6d8a96ef21d1e4f53fd54e3224afd829cd554dad129c302a52c1f431f311457aafced83fb27016263eb72f66
-
Filesize
6KB
MD533882404eb10900a43ecad8c5f86b50c
SHA1f0d4c2a6d5fc5e7be6b9d4931af5cff82c93e17b
SHA256d1f8bc0c1d8736ad9226ad1e1b83f006147864341e5389dfb8ee25a69bdc7ec6
SHA51278116f9ca0f0845cb04866d304e3a19b215297dba23ee7b13d8041c9269d16319f330cf9c21619c9ee7f2a60950ad26448551156f842c36f2e25ef11fdbd520f