Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
389s -
max time network
377s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2022, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
Tuke.exe
Resource
win7-20220901-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
Tuke.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
Tuke.exe
-
Size
316KB
-
MD5
af6c5c17b88a0bee8d0290b75a4a5c2e
-
SHA1
bbdf0e0176017b6d950d262671b874b50cce3b37
-
SHA256
c268b36e43ccc528b8d144913d2f0630e51d1e1d1858904d04b0d2e6dc3bc173
-
SHA512
0211751db6167b421fc68d8273fa9a635a244933df01bd6004136408339ea62d70607e5e2d8b25a466fef9d5e3fd13b5184962436541a129a8d15d69bbcb830a
-
SSDEEP
6144:ze1+pE7vfQXa1N4VNEVzRK1w1sxWon5aA0QHW:zeEovfEa1eMron9
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000008b640e20476da59179af109bfabac63204d9f8a9068beb5f5d3ed44e17bfde6c000000000e8000000002000020000000dd83bafa13c02c518fe2725ccfa5938eeba37be813e9acf7f26911f2fda83726200000002e27218f9f8fa7468e2d2c4375393d4afe5093ec00c00e69192a21c02ee2392d40000000b5e6c14a75d17c0801413e4f93c8d9b89b4133afd43c6e89902baadad8efa4d0485c9bf9e24803a739b9e8a2e551841640402d34db8aced08a3c9bc9445be3f1 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30200fc8bec6d801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E8D572F3-32B1-11ED-AECB-FE977829BE37} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3180831134" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06cfdc7bec6d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3180831134" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000f4a58afcc9ce31919a0ac075080e5c59a81539054dc774cec65fce18339f2c51000000000e80000000020000200000007331b833a04dee4024425087aeed86f10067c413ea996690115154d93ce9426e20000000f5307dfdfbc7181a55678e6dd1eedbef0717649b3f341f552349d126b5e257654000000038a2170fb3fe401f90540df0f044ff8b9588d319005de4b08bffd2fb67fd2af1aa94b2ad0caa04b9a2f54cf82a97090bf71ca9721fd3bf536976b99887a1d62c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30983870" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30983870" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4288 Tuke.exe 3160 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3160 taskmgr.exe Token: SeSystemProfilePrivilege 3160 taskmgr.exe Token: SeCreateGlobalPrivilege 3160 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1708 iexplore.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe 3160 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1708 iexplore.exe 1708 iexplore.exe 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1936 1708 iexplore.exe 104 PID 1708 wrote to memory of 1936 1708 iexplore.exe 104 PID 1708 wrote to memory of 1936 1708 iexplore.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tuke.exe"C:\Users\Admin\AppData\Local\Temp\Tuke.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4288
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3160