Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
Full Install.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Full Install.exe
Resource
win10v2004-20220812-en
General
-
Target
Full Install.exe
-
Size
1.3MB
-
MD5
70364fa4e186b91a1782ac29a13bb3ad
-
SHA1
1f4c9fb938ac2d78a8a3ea091bd9395e962d5589
-
SHA256
72592d99f4521b4cc9014bc2a361e84382de2e12610aa32ea5927a6d75228939
-
SHA512
d2ad64ece3371d90ff140d9ed27ffcfa93bbadd9175f7b08feaefb8e4ea9203dcf23b4f98a23fb19969c03aee85f8986096e21678eb746f9b89e4156c40a23dd
-
SSDEEP
24576:4RmJkcoQricOIQxiZY1iazQGeD9EMuoKqFX8amJ54lkrNu/3vL:9JZoQrbTFZY1iaXs9EMb1sxL3rA3vL
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\calc.exe = "C:\\Windows\\SysWOW64\\calc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winload.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run calc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft OS = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC} calc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC} calc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OS = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run calc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft OS = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run calc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4988 set thread context of 1416 4988 Full Install.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 4256 reg.exe 4164 reg.exe 456 reg.exe 5056 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1416 calc.exe Token: SeCreateTokenPrivilege 1416 calc.exe Token: SeAssignPrimaryTokenPrivilege 1416 calc.exe Token: SeLockMemoryPrivilege 1416 calc.exe Token: SeIncreaseQuotaPrivilege 1416 calc.exe Token: SeMachineAccountPrivilege 1416 calc.exe Token: SeTcbPrivilege 1416 calc.exe Token: SeSecurityPrivilege 1416 calc.exe Token: SeTakeOwnershipPrivilege 1416 calc.exe Token: SeLoadDriverPrivilege 1416 calc.exe Token: SeSystemProfilePrivilege 1416 calc.exe Token: SeSystemtimePrivilege 1416 calc.exe Token: SeProfSingleProcessPrivilege 1416 calc.exe Token: SeIncBasePriorityPrivilege 1416 calc.exe Token: SeCreatePagefilePrivilege 1416 calc.exe Token: SeCreatePermanentPrivilege 1416 calc.exe Token: SeBackupPrivilege 1416 calc.exe Token: SeRestorePrivilege 1416 calc.exe Token: SeShutdownPrivilege 1416 calc.exe Token: SeDebugPrivilege 1416 calc.exe Token: SeAuditPrivilege 1416 calc.exe Token: SeSystemEnvironmentPrivilege 1416 calc.exe Token: SeChangeNotifyPrivilege 1416 calc.exe Token: SeRemoteShutdownPrivilege 1416 calc.exe Token: SeUndockPrivilege 1416 calc.exe Token: SeSyncAgentPrivilege 1416 calc.exe Token: SeEnableDelegationPrivilege 1416 calc.exe Token: SeManageVolumePrivilege 1416 calc.exe Token: SeImpersonatePrivilege 1416 calc.exe Token: SeCreateGlobalPrivilege 1416 calc.exe Token: 31 1416 calc.exe Token: 32 1416 calc.exe Token: 33 1416 calc.exe Token: 34 1416 calc.exe Token: 35 1416 calc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1416 calc.exe 1416 calc.exe 1416 calc.exe 1416 calc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4988 wrote to memory of 1416 4988 Full Install.exe 82 PID 4988 wrote to memory of 1416 4988 Full Install.exe 82 PID 4988 wrote to memory of 1416 4988 Full Install.exe 82 PID 4988 wrote to memory of 1416 4988 Full Install.exe 82 PID 4988 wrote to memory of 1416 4988 Full Install.exe 82 PID 1416 wrote to memory of 668 1416 calc.exe 83 PID 1416 wrote to memory of 668 1416 calc.exe 83 PID 1416 wrote to memory of 668 1416 calc.exe 83 PID 1416 wrote to memory of 4960 1416 calc.exe 84 PID 1416 wrote to memory of 4960 1416 calc.exe 84 PID 1416 wrote to memory of 4960 1416 calc.exe 84 PID 1416 wrote to memory of 4972 1416 calc.exe 86 PID 1416 wrote to memory of 4972 1416 calc.exe 86 PID 1416 wrote to memory of 4972 1416 calc.exe 86 PID 1416 wrote to memory of 4920 1416 calc.exe 87 PID 1416 wrote to memory of 4920 1416 calc.exe 87 PID 1416 wrote to memory of 4920 1416 calc.exe 87 PID 668 wrote to memory of 456 668 cmd.exe 91 PID 668 wrote to memory of 456 668 cmd.exe 91 PID 668 wrote to memory of 456 668 cmd.exe 91 PID 4960 wrote to memory of 5056 4960 cmd.exe 92 PID 4960 wrote to memory of 5056 4960 cmd.exe 92 PID 4960 wrote to memory of 5056 4960 cmd.exe 92 PID 4920 wrote to memory of 4256 4920 cmd.exe 93 PID 4920 wrote to memory of 4256 4920 cmd.exe 93 PID 4920 wrote to memory of 4256 4920 cmd.exe 93 PID 4972 wrote to memory of 4164 4972 cmd.exe 94 PID 4972 wrote to memory of 4164 4972 cmd.exe 94 PID 4972 wrote to memory of 4164 4972 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Full Install.exe"C:\Users\Admin\AppData\Local\Temp\Full Install.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\SysWOW64\calc.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4256
-
-
-