Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 11:03
Static task
static1
Behavioral task
behavioral1
Sample
4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe
Resource
win10v2004-20220812-en
General
-
Target
4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe
-
Size
188KB
-
MD5
dfe7e88d21b52910db49dee9ed343f49
-
SHA1
deaf5577dd1faa28dbe5af9f445ea319d974150c
-
SHA256
4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b
-
SHA512
d27334ce043508cb119b734ea6f54cffe28f6052c91ecf93864e4a9abb73948773eba21a244d8724ec16b48de13bb52a8568152f971558955879ae063cf7f57d
-
SSDEEP
3072:vcKqiTArW8kxTVVx1c/Vh2yOL6ZwanDej6yVj4lk0nDHvosuW8xeTwwMhs4v:Rz8CVVW2RLywGSj1VjvGrl8x4Mhs4v
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4208 set thread context of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1497300500" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1497300500" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999296" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8473AE6E-6EF3-11ED-B696-5203DB9D3E0F} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375784662" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999296" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1276 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe Token: SeDebugPrivilege 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe Token: SeDebugPrivilege 4292 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1276 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 1276 IEXPLORE.EXE 1276 IEXPLORE.EXE 4292 IEXPLORE.EXE 4292 IEXPLORE.EXE 4292 IEXPLORE.EXE 4292 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4208 wrote to memory of 4876 4208 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 79 PID 4876 wrote to memory of 396 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 80 PID 4876 wrote to memory of 396 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 80 PID 4876 wrote to memory of 396 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 80 PID 396 wrote to memory of 1276 396 iexplore.exe 81 PID 396 wrote to memory of 1276 396 iexplore.exe 81 PID 1276 wrote to memory of 4292 1276 IEXPLORE.EXE 82 PID 1276 wrote to memory of 4292 1276 IEXPLORE.EXE 82 PID 1276 wrote to memory of 4292 1276 IEXPLORE.EXE 82 PID 4876 wrote to memory of 4292 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 82 PID 4876 wrote to memory of 4292 4876 4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe"C:\Users\Admin\AppData\Local\Temp\4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe"C:\Users\Admin\AppData\Local\Temp\4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4292
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b.exe
Filesize188KB
MD5dfe7e88d21b52910db49dee9ed343f49
SHA1deaf5577dd1faa28dbe5af9f445ea319d974150c
SHA2564d68044ff740634eefc30bc93427243ed729b364ac3ed76f08ef9218846dff4b
SHA512d27334ce043508cb119b734ea6f54cffe28f6052c91ecf93864e4a9abb73948773eba21a244d8724ec16b48de13bb52a8568152f971558955879ae063cf7f57d