Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 19:48
Static task
static1
Behavioral task
behavioral1
Sample
0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe
Resource
win10v2004-20241007-en
General
-
Target
0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe
-
Size
416KB
-
MD5
09e02038c2cbf5773e330365fdbff979
-
SHA1
a58253be5d0894273b06282523545196811da047
-
SHA256
0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a
-
SHA512
56d717ee6c6b06e62cda5e8b13eab0ff820c560e3f33823819c1f51bbd47c64240f6ceb99ba85e6b18d3cb9bb81b4630023c73370320c2a902b5fa3ae06c94c7
-
SSDEEP
6144:LjLSdhMVMMV7E0KnZOu4BCnSOzOqhgdqKkC2bm5drbXq8ItZc:gqrV7E04OuxfzPhgqCZ5RXq8I8
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_XW4ENNBX_README_.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (587) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB611.bmp" 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\word 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\word 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\office 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\onenote 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\thunderbird 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft sql server 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\excel 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\excel 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\office 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\outlook 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\powerpoint 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\steam 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\bitcoin 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\ 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files (x86)\the bat! 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe File opened for modification \??\c:\program files\ 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\ 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3216 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 5004 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3216 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe Token: SeCreatePagefilePrivilege 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe Token: 33 4496 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4496 AUDIODG.EXE Token: SeDebugPrivilege 5004 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3468 wrote to memory of 5020 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe 83 PID 3468 wrote to memory of 5020 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe 83 PID 3468 wrote to memory of 5020 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe 83 PID 3468 wrote to memory of 3476 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe 94 PID 3468 wrote to memory of 3476 3468 0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe 94 PID 3476 wrote to memory of 5004 3476 cmd.exe 96 PID 3476 wrote to memory of 5004 3476 cmd.exe 96 PID 3476 wrote to memory of 3216 3476 cmd.exe 97 PID 3476 wrote to memory of 3216 3476 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe"C:\Users\Admin\AppData\Local\Temp\0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe"1⤵
- Checks computer location settings
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_7807MUE_README_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:5020
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\system32\taskkill.exetaskkill /f /im "0ba2f0565a5f19579335c239daaa784b346f901bbda6ec6c863af3a5cf769c2a.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3216
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5882c1609b65c9c6ec6c3f111ecfeecd5
SHA1927917670575f4f387045af67542fabd87bca811
SHA25670f19a2ff8b4d7424a7ab24762ba1b09fe054d07ce0b2a3aac19e679f643ae4f
SHA51223579150003782d42800848d1bb3bfdc4189edfced4786bec8150b07b471815b7062778fc01bb274a4f7d7b88add891d02708928fa2ea7b0089ab4a5655ea08e
-
Filesize
65KB
MD569ad662e5aa85ed20ab6ccb6913230bd
SHA13f7461232c61ea82d020caaf8224ea12130c74cd
SHA256e03061658e57f8aeaf6518ceb4ff6085b82987b2b7b7f2f2400547bc38648cf5
SHA51240adeb5b1d847ca1c2e3d4953da22ae4d1baf751741e57bff1c339ecc3c3162fcc84d828201872195f08801a401e47fdc940583eff7f9df3e9fb217b7e3d83e6