Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 11:35
Static task
static1
Behavioral task
behavioral1
Sample
24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe
Resource
win10v2004-20220812-en
General
-
Target
24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe
-
Size
180KB
-
MD5
2d8462b9f8252c83bb461cd14010b2bd
-
SHA1
a05fa49c558fa2e6439a814d72056fc9b3a748d8
-
SHA256
24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f
-
SHA512
10698b5e857c9fe6d6a40791c5b01a12b610d6760053c6c44353d2d735e8c98f0446e302b712232bf81f93bf3a06bb1efd565206ef4a0807fb3fbd82e1ba2845
-
SSDEEP
3072:pXvTb0Y5FmB3nF7WZvr3OBCR+L550cmZ9Sm4vQeVDjee3RpMOGPv:pfMQFmB3nF7Whr3OBCITagbJDjee3Rpg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 564 winlogon.exe 4644 winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogon.exe" 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\U: winlogon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3424 set thread context of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 564 set thread context of 4644 564 winlogon.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4644 winlogon.exe 4644 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 564 winlogon.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3424 wrote to memory of 3524 3424 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 79 PID 3524 wrote to memory of 564 3524 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 80 PID 3524 wrote to memory of 564 3524 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 80 PID 3524 wrote to memory of 564 3524 24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe 80 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81 PID 564 wrote to memory of 4644 564 winlogon.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe"C:\Users\Admin\AppData\Local\Temp\24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exeC:\Users\Admin\AppData\Local\Temp\24ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeC:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exeC:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4644
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD52d8462b9f8252c83bb461cd14010b2bd
SHA1a05fa49c558fa2e6439a814d72056fc9b3a748d8
SHA25624ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f
SHA51210698b5e857c9fe6d6a40791c5b01a12b610d6760053c6c44353d2d735e8c98f0446e302b712232bf81f93bf3a06bb1efd565206ef4a0807fb3fbd82e1ba2845
-
Filesize
180KB
MD52d8462b9f8252c83bb461cd14010b2bd
SHA1a05fa49c558fa2e6439a814d72056fc9b3a748d8
SHA25624ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f
SHA51210698b5e857c9fe6d6a40791c5b01a12b610d6760053c6c44353d2d735e8c98f0446e302b712232bf81f93bf3a06bb1efd565206ef4a0807fb3fbd82e1ba2845
-
Filesize
180KB
MD52d8462b9f8252c83bb461cd14010b2bd
SHA1a05fa49c558fa2e6439a814d72056fc9b3a748d8
SHA25624ea6b7f6e8f941bb616e24dc8b0abad3f11945704e1babaf38a7aeb0246d71f
SHA51210698b5e857c9fe6d6a40791c5b01a12b610d6760053c6c44353d2d735e8c98f0446e302b712232bf81f93bf3a06bb1efd565206ef4a0807fb3fbd82e1ba2845