Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
114s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
27/04/2020, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
F820.tmp.exe
Resource
win7v200410
Behavioral task
behavioral2
Sample
F820.tmp.exe
Resource
win10v200410
General
-
Target
F820.tmp.exe
-
Size
813KB
-
MD5
42e683f3f24484bd47f079b114002571
-
SHA1
4a7840d449e1454561a34c49f7d91224ef892e2c
-
SHA256
ce90d07b63358dc14f246849d5a04b41692c849cdd2de04c2dc8b0e161a45b3e
-
SHA512
fff26cf5458487b88872f5150cf3ee10a2d6b6a94a16e05daf672fb7407c0e417d8477b0d8a5ab96f417669c16149bea98a8075ab7609379cce7006a5be69c8f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 77 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1640 2024 F820.tmp.exe 27 PID 2024 wrote to memory of 1640 2024 F820.tmp.exe 27 PID 2024 wrote to memory of 1640 2024 F820.tmp.exe 27 PID 2024 wrote to memory of 1640 2024 F820.tmp.exe 27 PID 2024 wrote to memory of 996 2024 F820.tmp.exe 28 PID 2024 wrote to memory of 996 2024 F820.tmp.exe 28 PID 2024 wrote to memory of 996 2024 F820.tmp.exe 28 PID 2024 wrote to memory of 996 2024 F820.tmp.exe 28 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 996 wrote to memory of 1748 996 F820.tmp.exe 29 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 1748 wrote to memory of 1780 1748 updatewin1.exe 30 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 996 wrote to memory of 1820 996 F820.tmp.exe 32 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 1780 wrote to memory of 1840 1780 updatewin1.exe 33 PID 996 wrote to memory of 1568 996 F820.tmp.exe 35 PID 996 wrote to memory of 1568 996 F820.tmp.exe 35 PID 996 wrote to memory of 1568 996 F820.tmp.exe 35 PID 996 wrote to memory of 1568 996 F820.tmp.exe 35 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1780 wrote to memory of 1584 1780 updatewin1.exe 37 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1584 wrote to memory of 1164 1584 powershell.exe 39 PID 1780 wrote to memory of 1696 1780 updatewin1.exe 41 PID 1780 wrote to memory of 1696 1780 updatewin1.exe 41 PID 1780 wrote to memory of 1696 1780 updatewin1.exe 41 PID 1780 wrote to memory of 1696 1780 updatewin1.exe 41 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1780 wrote to memory of 1724 1780 updatewin1.exe 43 PID 1568 wrote to memory of 1580 1568 5.exe 45 PID 1568 wrote to memory of 1580 1568 5.exe 45 PID 1568 wrote to memory of 1580 1568 5.exe 45 PID 1568 wrote to memory of 1580 1568 5.exe 45 PID 1580 wrote to memory of 1460 1580 cmd.exe 47 PID 1580 wrote to memory of 1460 1580 cmd.exe 47 PID 1580 wrote to memory of 1460 1580 cmd.exe 47 PID 1580 wrote to memory of 1460 1580 cmd.exe 47 PID 520 wrote to memory of 700 520 taskeng.exe 54 PID 520 wrote to memory of 700 520 taskeng.exe 54 PID 520 wrote to memory of 700 520 taskeng.exe 54 PID 520 wrote to memory of 700 520 taskeng.exe 54 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1460 taskkill.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Kills process with taskkill 1 IoCs
pid Process 1460 taskkill.exe -
Makes http(s) request 19 IoCs
Contacts server via http/https, possibly for C2 communication.
description flow ioc HTTP URL 15 http://akbz.top/files/penelop/3.exe HTTP URL 20 http://evergladsea.com/517 HTTP URL 20 http://evergladsea.com/freebl3.dll HTTP URL 20 http://evergladsea.com/mozglue.dll HTTP URL 20 http://evergladsea.com/msvcp140.dll HTTP URL 20 http://evergladsea.com/vcruntime140.dll HTTP URL 11 http://akbz.top/files/penelop/updatewin1.exe HTTP URL 12 http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=7FE0677D783F4AD4240B4688EDAACCFA&first=true HTTP URL 31 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 22 http://ip-api.com/line/ HTTP URL 14 http://akbz.top/files/penelop/updatewin.exe HTTP URL 20 http://evergladsea.com/nss3.dll HTTP URL 20 http://evergladsea.com/ HTTP URL 6 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 9 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 17 http://akbz.top/files/penelop/5.exe HTTP URL 20 http://evergladsea.com/softokn3.dll HTTP URL 13 http://akbz.top/files/penelop/updatewin2.exe HTTP URL 16 http://akbz.top/files/penelop/4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 16 IoCs
pid Process 996 F820.tmp.exe 1748 updatewin1.exe 1748 updatewin1.exe 1748 updatewin1.exe 1748 updatewin1.exe 1748 updatewin1.exe 1780 updatewin1.exe 1780 updatewin1.exe 1780 updatewin1.exe 996 F820.tmp.exe 996 F820.tmp.exe 996 F820.tmp.exe 1568 5.exe 1568 5.exe 1568 5.exe 1568 5.exe -
Executes dropped EXE 5 IoCs
pid Process 1748 updatewin1.exe 1780 updatewin1.exe 1820 updatewin2.exe 1568 5.exe 700 F820.tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1656 NOTEPAD.EXE -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5def4699-2071-43af-b361-72c272756e78\\F820.tmp.exe\" --AutoStart" F820.tmp.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2024 F820.tmp.exe 2024 F820.tmp.exe 996 F820.tmp.exe 996 F820.tmp.exe 1840 powershell.exe 1840 powershell.exe 1840 powershell.exe 1584 powershell.exe 1584 powershell.exe 1568 5.exe 1568 5.exe 1568 5.exe 1568 5.exe 1164 powershell.exe 996 F820.tmp.exe 700 F820.tmp.exe 700 F820.tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1640 icacls.exe -
Checks for installed software on the system 1 TTPs 28 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe -
Disables Task Manager via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1748 -
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe" --Admin4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵PID:1696
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵PID:1724
-
-
-
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1820
-
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe"3⤵
- Loads dropped DLL
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe & exit4⤵PID:1580
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1460
-
-
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1388
-
C:\Windows\system32\taskeng.exetaskeng.exe {969DBEDC-FA5C-43ED-ADFC-B54FB9707DB8} S-1-5-21-3765897441-2376744223-3151462503-1000:BKIWADLA\Admin:Interactive:[1]1⤵PID:520
-
C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exeC:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1772
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1656