Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe
Resource
win7-20220901-en
General
-
Target
3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe
-
Size
36KB
-
MD5
2e5301c5190bee4c4ea97fad9fd86003
-
SHA1
4c401e6cdf0250d68e30b5137586897a63ff629c
-
SHA256
3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207
-
SHA512
8f416ae87c4513d692c8e64e860434cece3118a635ac7187f91621da4217917886add5352ea80826d7000bdebda59ae6cbf02ee109a3b0cb3c9f7279524c1642
-
SSDEEP
384:Ew/jpHowi33kTwFJ40sBWhlabvdF2t7S9wd5ASc:/lH3i3yAJ8eMFF2pCI2
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1088 k4.exe 4268 k4.exe 1088 k4.exe 4268 k4.exe -
Loads dropped DLL 2 IoCs
pid Process 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 1004 taskkill.exe 1004 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2556 wrote to memory of 4872 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 83 PID 2556 wrote to memory of 4872 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 83 PID 2556 wrote to memory of 4872 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 83 PID 4872 wrote to memory of 1004 4872 cmd.exe 85 PID 4872 wrote to memory of 1004 4872 cmd.exe 85 PID 4872 wrote to memory of 1004 4872 cmd.exe 85 PID 2556 wrote to memory of 1088 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 86 PID 2556 wrote to memory of 1088 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 86 PID 2556 wrote to memory of 4268 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 87 PID 2556 wrote to memory of 4268 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 87 PID 2556 wrote to memory of 1764 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 88 PID 2556 wrote to memory of 1764 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 88 PID 2556 wrote to memory of 1764 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 88 PID 2556 wrote to memory of 4872 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 172 PID 2556 wrote to memory of 4872 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 172 PID 2556 wrote to memory of 4872 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 172 PID 4872 wrote to memory of 1004 4872 cmd.exe 174 PID 4872 wrote to memory of 1004 4872 cmd.exe 174 PID 4872 wrote to memory of 1004 4872 cmd.exe 174 PID 2556 wrote to memory of 1088 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 175 PID 2556 wrote to memory of 1088 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 175 PID 2556 wrote to memory of 4268 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 176 PID 2556 wrote to memory of 4268 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 176 PID 2556 wrote to memory of 1764 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 177 PID 2556 wrote to memory of 1764 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 177 PID 2556 wrote to memory of 1764 2556 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe 177 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe"C:\Users\Admin\AppData\Local\Temp\3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im dllhosts.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhosts.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
PID:1088
-
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
PID:4268
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵PID:1764
-
-
C:\Users\Admin\AppData\Local\Temp\3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe"C:\Users\Admin\AppData\Local\Temp\3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im dllhosts.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhosts.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
PID:1088
-
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
PID:4268
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵PID:1764
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD50a47b35697a401f4471c3f49820dbb76
SHA1fb2f73e3e79955f3601272d1daa144f64d81547f
SHA256baafb6435287b35b3f4808958439b6a2aa04aaa9e4ce95d7e46855c874fb1e66
SHA51289c5808643311d6053a1b9e21948fae07436e1e8d861d520dfc3fa91f078aabb3227ed461ec59e9977e4e6db4840e79d36ee73caab5bfa5cf303a4c6385d38db
-
Filesize
44KB
MD50a47b35697a401f4471c3f49820dbb76
SHA1fb2f73e3e79955f3601272d1daa144f64d81547f
SHA256baafb6435287b35b3f4808958439b6a2aa04aaa9e4ce95d7e46855c874fb1e66
SHA51289c5808643311d6053a1b9e21948fae07436e1e8d861d520dfc3fa91f078aabb3227ed461ec59e9977e4e6db4840e79d36ee73caab5bfa5cf303a4c6385d38db
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93