Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe
Resource
win7-20221111-en
General
-
Target
a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe
-
Size
892KB
-
MD5
1bef42c95ca61b738b459b9c48f7c1e0
-
SHA1
1c2119f0c5fac62a54a78dbd9cfa32018a917aa7
-
SHA256
a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14
-
SHA512
e58f0bda2985fc7641ab6f69e85a5125b7ce86dffd9e90a29539663d0924f14b32453fdcc8d65389fbb88818083136f12dccda4c8c38058cf957623ee8c2413a
-
SSDEEP
24576:aQRvNENgL3cxDgUEesiHYo5OrP5+KtK930UZI/Z:pEjVgUEesiHYo5OrP5+KtK930UZq
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 384 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe 3964 DesktopLayer.exe -
resource yara_rule behavioral2/files/0x000a000000022dfd-134.dat upx behavioral2/files/0x000a000000022dfd-135.dat upx behavioral2/files/0x0009000000022e0e-137.dat upx behavioral2/files/0x0009000000022e0e-138.dat upx behavioral2/memory/384-140-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3964-141-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px791D.tmp a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997917" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2184832248" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2194208809" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997917" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997917" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ADAEFA0B-6990-11ED-BF5F-E2CDD1D11107} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2184832248" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375795538" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3964 DesktopLayer.exe 3964 DesktopLayer.exe 3964 DesktopLayer.exe 3964 DesktopLayer.exe 3964 DesktopLayer.exe 3964 DesktopLayer.exe 3964 DesktopLayer.exe 3964 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 912 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 912 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 912 iexplore.exe 912 iexplore.exe 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1684 wrote to memory of 384 1684 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe 84 PID 1684 wrote to memory of 384 1684 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe 84 PID 1684 wrote to memory of 384 1684 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe 84 PID 384 wrote to memory of 3964 384 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe 85 PID 384 wrote to memory of 3964 384 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe 85 PID 384 wrote to memory of 3964 384 a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe 85 PID 3964 wrote to memory of 912 3964 DesktopLayer.exe 86 PID 3964 wrote to memory of 912 3964 DesktopLayer.exe 86 PID 912 wrote to memory of 4736 912 iexplore.exe 87 PID 912 wrote to memory of 4736 912 iexplore.exe 87 PID 912 wrote to memory of 4736 912 iexplore.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe"C:\Users\Admin\AppData\Local\Temp\a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exeC:\Users\Admin\AppData\Local\Temp\a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD56df395096ecd4495391458b01010ecb2
SHA12f1dc39b55265fd6219172e40362c1240506470a
SHA2566439a7a722864b1920d0307e0fb2eb95207b22010005086b5856646a51f2a7e0
SHA512eb333fbf74de85ca8bb66dc1c286f71d744e929e614bd056b73fa5161f26e89ef5028d4f729f02de3438ef519bc74968cb0c25428a880efe523121182bb65803
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5acd4ffe5a6d532897b6bb554b454c52b
SHA16d8ddef19a3a891815ec97830f3a16e5b73446bb
SHA256c4e679ecf262df51d02a0dd69748f3134c5dd04a25723411f42979a3dbf6ce21
SHA512e2b9af5be0e7cf92de3e6fb697783356047faac13de2b87be511b90f963fa2050ab98e3ae132fb74ce0e9d65298a8a9134b6d422f141357b6537bb0278e11158
-
C:\Users\Admin\AppData\Local\Temp\a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe
Filesize55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\a15b4af5b1f2fe5f6eaccf86d456611082eebfe77c9f13251d4763049e914c14Srv.exe
Filesize55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a