Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe
Resource
win10v2004-20220812-en
General
-
Target
3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe
-
Size
322KB
-
MD5
91f4c8526869f34f38b8eed628b557a1
-
SHA1
5757818e4bbcce1a481c70f1370578f190b676cb
-
SHA256
3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb
-
SHA512
b141483fed0ba742a2778659a1f7f28d969014c4016524e4bb478964c73755de4ccbd8815eec725573ba6fc40164955c97a77e4ed6979532695fb6a6ad824e87
-
SSDEEP
6144:ukuP43GMaCXZgY9jYYp5fp1VNB0acuz0dqy1jQS:ukuP43GCXdjjpBVNBVfzBy1sS
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeqdbl = "regsvr32.exe \"C:\\ProgramData\\toeqdbl.dat\"" 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeqdbl = "regsvr32.exe \"C:\\ProgramData\\toeqdbl.dat\"" Explorer.EXE -
Program crash 1 IoCs
pid pid_target Process procid_target 1080 3252 WerFault.exe 37 -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" Explorer.EXE -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" Explorer.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" Explorer.EXE -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494} RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494} RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494} RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c336135643361316536343631326565376437646461333537363166393833613164336237626364343261666533326565363765393433386134653936616365622e65786500 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} sihost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494}\{24E36B10-2332-4AFB-927E-511120F87D8C} = e6e6cb56 sihost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{00261E27-52F6-4985-A297-2E1520AD7E1D} StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494} sihost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{31592EB9-2097-4F2E-B03F-7A3E799E2494} taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{4819052B-70D1-48C0-A5FD-7E16098E024E} StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{7E440D50-1A3E-4171-AD54-22E83D644776} RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2556 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeCreateGlobalPrivilege 2484 sihost.exe Token: SeShutdownPrivilege 2484 sihost.exe Token: SeDebugPrivilege 2484 sihost.exe Token: SeCreateGlobalPrivilege 2604 taskhostw.exe Token: SeShutdownPrivilege 2604 taskhostw.exe Token: SeDebugPrivilege 2604 taskhostw.exe Token: SeCreateGlobalPrivilege 2556 Explorer.EXE Token: SeShutdownPrivilege 2556 Explorer.EXE Token: SeDebugPrivilege 2556 Explorer.EXE Token: SeShutdownPrivilege 2556 Explorer.EXE Token: SeCreatePagefilePrivilege 2556 Explorer.EXE Token: SeCreateGlobalPrivilege 3352 StartMenuExperienceHost.exe Token: SeShutdownPrivilege 3352 StartMenuExperienceHost.exe Token: SeDebugPrivilege 3352 StartMenuExperienceHost.exe Token: SeCreateGlobalPrivilege 3420 RuntimeBroker.exe Token: SeShutdownPrivilege 3420 RuntimeBroker.exe Token: SeDebugPrivilege 3420 RuntimeBroker.exe Token: SeCreateGlobalPrivilege 3740 RuntimeBroker.exe Token: SeShutdownPrivilege 3740 RuntimeBroker.exe Token: SeDebugPrivilege 3740 RuntimeBroker.exe Token: SeCreateGlobalPrivilege 4844 RuntimeBroker.exe Token: SeShutdownPrivilege 4844 RuntimeBroker.exe Token: SeDebugPrivilege 4844 RuntimeBroker.exe Token: SeShutdownPrivilege 3420 RuntimeBroker.exe Token: SeShutdownPrivilege 3420 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2484 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 13 PID 1656 wrote to memory of 2484 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 13 PID 1656 wrote to memory of 2604 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 43 PID 1656 wrote to memory of 2604 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 43 PID 1656 wrote to memory of 2556 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 39 PID 1656 wrote to memory of 2556 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 39 PID 1656 wrote to memory of 3252 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 37 PID 1656 wrote to memory of 3252 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 37 PID 1656 wrote to memory of 3352 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 36 PID 1656 wrote to memory of 3352 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 36 PID 1656 wrote to memory of 3420 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 15 PID 1656 wrote to memory of 3420 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 15 PID 1656 wrote to memory of 3512 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 35 PID 1656 wrote to memory of 3512 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 35 PID 1656 wrote to memory of 3740 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 34 PID 1656 wrote to memory of 3740 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 34 PID 1656 wrote to memory of 4844 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 16 PID 1656 wrote to memory of 4844 1656 3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe 16
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3512
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3252
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3252 -s 9842⤵
- Program crash
PID:1080
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe"C:\Users\Admin\AppData\Local\Temp\3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3252 -ip 32521⤵PID:4688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD5be297f52018cebfad9af9b432a53af29
SHA15111aa620f29b77048b5da629336923ff1e3cf25
SHA256fb99ca1d7e660b909e35801658ee556eb1e39b5b65c2d09f4824de332c0085fb
SHA5124bae920dd7fbce22284749c38812f15d97fee6d3ca66288d875a72922586c032f9cc80d236c64687b1c495972870109e73be5ca5ad313b98aedabe5d357c054c
-
Filesize
244KB
MD5be297f52018cebfad9af9b432a53af29
SHA15111aa620f29b77048b5da629336923ff1e3cf25
SHA256fb99ca1d7e660b909e35801658ee556eb1e39b5b65c2d09f4824de332c0085fb
SHA5124bae920dd7fbce22284749c38812f15d97fee6d3ca66288d875a72922586c032f9cc80d236c64687b1c495972870109e73be5ca5ad313b98aedabe5d357c054c