Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03/07/2024, 22:59
240703-2yn7wszhlp 1003/07/2024, 16:13
240703-tn93lsyglf 1003/07/2024, 16:11
240703-tm84xsyfma 1010/05/2024, 16:25
240510-tw1h5shh47 1024/08/2023, 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
21s -
max time network
53s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22/11/2020, 06:42
Static task
static1
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Errors
General
-
Target
-
Size
6.7MB
-
MD5
f2b7074e1543720a9a98fda660e02688
-
SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca
-
SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
-
SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\B: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\A: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\Z: [email protected] -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" [email protected] -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper [email protected] -
Kills process with taskkill 2 IoCs
pid Process 3996 taskkill.exe 2992 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" [email protected] -
Suspicious use of AdjustPrivilegeToken 94 IoCs
description pid Process Token: SeDebugPrivilege 3996 taskkill.exe Token: SeShutdownPrivilege 3108 [email protected] Token: SeCreatePagefilePrivilege 3108 [email protected] Token: SeDebugPrivilege 2992 taskkill.exe Token: SeIncreaseQuotaPrivilege 2864 WMIC.exe Token: SeSecurityPrivilege 2864 WMIC.exe Token: SeTakeOwnershipPrivilege 2864 WMIC.exe Token: SeLoadDriverPrivilege 2864 WMIC.exe Token: SeSystemProfilePrivilege 2864 WMIC.exe Token: SeSystemtimePrivilege 2864 WMIC.exe Token: SeProfSingleProcessPrivilege 2864 WMIC.exe Token: SeIncBasePriorityPrivilege 2864 WMIC.exe Token: SeCreatePagefilePrivilege 2864 WMIC.exe Token: SeBackupPrivilege 2864 WMIC.exe Token: SeRestorePrivilege 2864 WMIC.exe Token: SeShutdownPrivilege 2864 WMIC.exe Token: SeDebugPrivilege 2864 WMIC.exe Token: SeSystemEnvironmentPrivilege 2864 WMIC.exe Token: SeRemoteShutdownPrivilege 2864 WMIC.exe Token: SeUndockPrivilege 2864 WMIC.exe Token: SeManageVolumePrivilege 2864 WMIC.exe Token: 33 2864 WMIC.exe Token: 34 2864 WMIC.exe Token: 35 2864 WMIC.exe Token: 36 2864 WMIC.exe Token: SeIncreaseQuotaPrivilege 2864 WMIC.exe Token: SeSecurityPrivilege 2864 WMIC.exe Token: SeTakeOwnershipPrivilege 2864 WMIC.exe Token: SeLoadDriverPrivilege 2864 WMIC.exe Token: SeSystemProfilePrivilege 2864 WMIC.exe Token: SeSystemtimePrivilege 2864 WMIC.exe Token: SeProfSingleProcessPrivilege 2864 WMIC.exe Token: SeIncBasePriorityPrivilege 2864 WMIC.exe Token: SeCreatePagefilePrivilege 2864 WMIC.exe Token: SeBackupPrivilege 2864 WMIC.exe Token: SeRestorePrivilege 2864 WMIC.exe Token: SeShutdownPrivilege 2864 WMIC.exe Token: SeDebugPrivilege 2864 WMIC.exe Token: SeSystemEnvironmentPrivilege 2864 WMIC.exe Token: SeRemoteShutdownPrivilege 2864 WMIC.exe Token: SeUndockPrivilege 2864 WMIC.exe Token: SeManageVolumePrivilege 2864 WMIC.exe Token: 33 2864 WMIC.exe Token: 34 2864 WMIC.exe Token: 35 2864 WMIC.exe Token: 36 2864 WMIC.exe Token: SeIncreaseQuotaPrivilege 4068 WMIC.exe Token: SeSecurityPrivilege 4068 WMIC.exe Token: SeTakeOwnershipPrivilege 4068 WMIC.exe Token: SeLoadDriverPrivilege 4068 WMIC.exe Token: SeSystemProfilePrivilege 4068 WMIC.exe Token: SeSystemtimePrivilege 4068 WMIC.exe Token: SeProfSingleProcessPrivilege 4068 WMIC.exe Token: SeIncBasePriorityPrivilege 4068 WMIC.exe Token: SeCreatePagefilePrivilege 4068 WMIC.exe Token: SeBackupPrivilege 4068 WMIC.exe Token: SeRestorePrivilege 4068 WMIC.exe Token: SeShutdownPrivilege 4068 WMIC.exe Token: SeDebugPrivilege 4068 WMIC.exe Token: SeSystemEnvironmentPrivilege 4068 WMIC.exe Token: SeRemoteShutdownPrivilege 4068 WMIC.exe Token: SeUndockPrivilege 4068 WMIC.exe Token: SeManageVolumePrivilege 4068 WMIC.exe Token: 33 4068 WMIC.exe Token: 34 4068 WMIC.exe Token: 35 4068 WMIC.exe Token: 36 4068 WMIC.exe Token: SeIncreaseQuotaPrivilege 4068 WMIC.exe Token: SeSecurityPrivilege 4068 WMIC.exe Token: SeTakeOwnershipPrivilege 4068 WMIC.exe Token: SeLoadDriverPrivilege 4068 WMIC.exe Token: SeSystemProfilePrivilege 4068 WMIC.exe Token: SeSystemtimePrivilege 4068 WMIC.exe Token: SeProfSingleProcessPrivilege 4068 WMIC.exe Token: SeIncBasePriorityPrivilege 4068 WMIC.exe Token: SeCreatePagefilePrivilege 4068 WMIC.exe Token: SeBackupPrivilege 4068 WMIC.exe Token: SeRestorePrivilege 4068 WMIC.exe Token: SeShutdownPrivilege 4068 WMIC.exe Token: SeDebugPrivilege 4068 WMIC.exe Token: SeSystemEnvironmentPrivilege 4068 WMIC.exe Token: SeRemoteShutdownPrivilege 4068 WMIC.exe Token: SeUndockPrivilege 4068 WMIC.exe Token: SeManageVolumePrivilege 4068 WMIC.exe Token: 33 4068 WMIC.exe Token: 34 4068 WMIC.exe Token: 35 4068 WMIC.exe Token: 36 4068 WMIC.exe Token: SeShutdownPrivilege 3108 [email protected] Token: SeCreatePagefilePrivilege 3108 [email protected] Token: SeShutdownPrivilege 3108 [email protected] Token: SeCreatePagefilePrivilege 3108 [email protected] Token: SeShutdownPrivilege 3108 [email protected] Token: SeCreatePagefilePrivilege 3108 [email protected] -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3108 [email protected] 3108 [email protected] -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2844 3108 [email protected] 75 PID 3108 wrote to memory of 2844 3108 [email protected] 75 PID 3108 wrote to memory of 2844 3108 [email protected] 75 PID 2844 wrote to memory of 3996 2844 cmd.exe 77 PID 2844 wrote to memory of 3996 2844 cmd.exe 77 PID 2844 wrote to memory of 3996 2844 cmd.exe 77 PID 2844 wrote to memory of 2992 2844 cmd.exe 78 PID 2844 wrote to memory of 2992 2844 cmd.exe 78 PID 2844 wrote to memory of 2992 2844 cmd.exe 78 PID 2844 wrote to memory of 2864 2844 cmd.exe 79 PID 2844 wrote to memory of 2864 2844 cmd.exe 79 PID 2844 wrote to memory of 2864 2844 cmd.exe 79 PID 2844 wrote to memory of 4068 2844 cmd.exe 80 PID 2844 wrote to memory of 4068 2844 cmd.exe 80 PID 2844 wrote to memory of 4068 2844 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-