Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
280s -
max time network
128s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12/05/2020, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
E214.tmp.exe
Resource
win7v200430
General
-
Target
E214.tmp.exe
-
Size
818KB
-
MD5
eb6c5d9f2aeed5e494370f4d28a0307b
-
SHA1
bf3d7db88f44c7440e81dd96b83b70038e88e3f5
-
SHA256
fafa82e7a61c1a516bb83c19d0e5ffce99eac17d34bb9280da34c515e1279653
-
SHA512
eb332247ee9006e7b64da251c929a40d38a0cab40e0b47e60c71f4ee0c3f24b887916aebc160f0dc954cf3a8a428c4c264068886155f6376d70481682e59c49d
Malware Config
Extracted
C:\_readme.txt
https://we.tl/t-PHmSJZS9ey
Signatures
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1520 E214.tmp.exe 1796 E214.tmp.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1856 powershell.exe 1856 powershell.exe 1824 powershell.exe 1952 5.exe 1952 5.exe 1952 5.exe 1952 5.exe 1748 E214.tmp.exe 1796 E214.tmp.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE -
Disables Task Manager via registry modification
-
Executes dropped EXE 5 IoCs
pid Process 1144 updatewin1.exe 956 updatewin2.exe 1640 updatewin1.exe 1952 5.exe 1748 E214.tmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1920 NOTEPAD.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1920 NOTEPAD.EXE -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1532 icacls.exe -
Checks for installed software on the system 1 TTPs 29 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\80f457ce-6e3a-4a8f-b143-ac81ecafd120\\E214.tmp.exe\" --AutoStart" E214.tmp.exe -
Suspicious use of WriteProcessMemory 77 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1532 1520 E214.tmp.exe 25 PID 1520 wrote to memory of 1532 1520 E214.tmp.exe 25 PID 1520 wrote to memory of 1532 1520 E214.tmp.exe 25 PID 1520 wrote to memory of 1532 1520 E214.tmp.exe 25 PID 1520 wrote to memory of 1796 1520 E214.tmp.exe 27 PID 1520 wrote to memory of 1796 1520 E214.tmp.exe 27 PID 1520 wrote to memory of 1796 1520 E214.tmp.exe 27 PID 1520 wrote to memory of 1796 1520 E214.tmp.exe 27 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 1144 1796 E214.tmp.exe 28 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1796 wrote to memory of 956 1796 E214.tmp.exe 29 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1144 wrote to memory of 1640 1144 updatewin1.exe 30 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1640 wrote to memory of 1624 1640 updatewin1.exe 31 PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 33 PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 33 PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 33 PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 33 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1640 wrote to memory of 1856 1640 updatewin1.exe 35 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1856 wrote to memory of 1824 1856 powershell.exe 37 PID 1640 wrote to memory of 1044 1640 updatewin1.exe 39 PID 1640 wrote to memory of 1044 1640 updatewin1.exe 39 PID 1640 wrote to memory of 1044 1640 updatewin1.exe 39 PID 1640 wrote to memory of 1044 1640 updatewin1.exe 39 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1640 wrote to memory of 1768 1640 updatewin1.exe 41 PID 1952 wrote to memory of 1840 1952 5.exe 45 PID 1952 wrote to memory of 1840 1952 5.exe 45 PID 1952 wrote to memory of 1840 1952 5.exe 45 PID 1952 wrote to memory of 1840 1952 5.exe 45 PID 1840 wrote to memory of 1592 1840 cmd.exe 47 PID 1840 wrote to memory of 1592 1840 cmd.exe 47 PID 1840 wrote to memory of 1592 1840 cmd.exe 47 PID 1840 wrote to memory of 1592 1840 cmd.exe 47 PID 1596 wrote to memory of 1748 1596 taskeng.exe 50 PID 1596 wrote to memory of 1748 1596 taskeng.exe 50 PID 1596 wrote to memory of 1748 1596 taskeng.exe 50 PID 1596 wrote to memory of 1748 1596 taskeng.exe 50 -
Loads dropped DLL 16 IoCs
pid Process 1796 E214.tmp.exe 1144 updatewin1.exe 1144 updatewin1.exe 1144 updatewin1.exe 1796 E214.tmp.exe 1144 updatewin1.exe 1144 updatewin1.exe 1640 updatewin1.exe 1640 updatewin1.exe 1640 updatewin1.exe 1796 E214.tmp.exe 1796 E214.tmp.exe 1952 5.exe 1952 5.exe 1952 5.exe 1952 5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Kills process with taskkill 1 IoCs
pid Process 1592 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1796 -
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1144 -
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵PID:1044
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵PID:1768
-
-
-
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:956
-
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks for installed software on the system
- Loads dropped DLL
- Checks processor information in registry
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe & exit4⤵PID:1840
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1592
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7EC98CF2-FA1A-4AF7-9E2B-F6A1BDDA3BCF} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]1⤵PID:1596
-
C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exeC:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe --Task2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1748
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1552
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Suspicious use of FindShellTrayWindow
- Opens file in notepad (likely ransom note)
PID:1920