Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 00:03 UTC
Static task
static1
Behavioral task
behavioral1
Sample
04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe
-
Size
380KB
-
MD5
2af37e880eade257929567b95ecf53e0
-
SHA1
5d357f2aee3db018f5d3d764029d61cc66471634
-
SHA256
04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b
-
SHA512
e45c74d510b4410052ec89d7ecfee5d2b9785658960bd2c1041ee1049f8179052153b1acdeb6c0d53f202f0232fbe3f1f9d995a5002def49d124b82068977581
-
SSDEEP
6144:1i8RMpCQ0TexdCoNSQwMOu/L5NY5k7paog+4gyA1H1zZsQ6psGeDkXMg:M8RMpCQ2exdCGGMOu/iQtUA1A7R
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Disables taskbar notifications via registry modification
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\0C1CFAF10045EF49172EC2F4F875EF60 = "C:\\ProgramData\\0C1CFAF10045EF49172EC2F4F875EF60\\0C1CFAF10045EF49172EC2F4F875EF60.exe" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe 1812 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe"C:\Users\Admin\AppData\Local\Temp\04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1812
Network
-
GEThttp://112.121.178.190/api/urls/?ts=2010dfa0&affid=2035504f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exeRemote address:112.121.178.190:80RequestGET /api/urls/?ts=2010dfa0&affid=20355 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent:
Host: 112.121.178.190
ResponseHTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 19 Sep 2022 00:23:51 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
-
112.121.178.190:80http://112.121.178.190/api/urls/?ts=2010dfa0&affid=20355http04f59c381cbb547fc48937711dd266eab44536990bcc3099d471f43d1eb1496b.exe484 B 840 B 7 6
HTTP Request
GET http://112.121.178.190/api/urls/?ts=2010dfa0&affid=20355HTTP Response
404 -
152 B 3
No results found