Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 14:47
Static task
static1
Behavioral task
behavioral1
Sample
rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
Resource
win10v2004-20220812-en
General
-
Target
rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
-
Size
152KB
-
MD5
f3ebd9dc2bb17ade3db704bcf06ddb6c
-
SHA1
8c827a862c86991d6f2012174c982c8bd4673fd1
-
SHA256
fd72f9b70df6b6acfaa5a6553bd0094a260982aa9a63f38163e380fa600b54c4
-
SHA512
f627a94307d0ee7517adb49f6820fef9c1a24b81b3777e6d0552ae475080c1b45f4e46ceafe097e9a6eeda48e00491bd7643961fedd8263453e77fb3372075b1
-
SSDEEP
3072:wXUSu53x+vhiBIVHIpSot5A9mW+iDbG8jOz102+SvJex9Jf+ySd+zr3/182:GChx+5iaVopH7A9mhEG8Sz6LOUj/
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2224 set thread context of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 -
Program crash 1 IoCs
pid pid_target Process procid_target 3184 3296 WerFault.exe 45 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 2864 Explorer.EXE 2864 Explorer.EXE 2864 Explorer.EXE 2864 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2864 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe Token: SeDebugPrivilege 2864 Explorer.EXE Token: SeShutdownPrivilege 2864 Explorer.EXE Token: SeCreatePagefilePrivilege 2864 Explorer.EXE Token: SeShutdownPrivilege 3452 RuntimeBroker.exe Token: SeShutdownPrivilege 3452 RuntimeBroker.exe Token: SeShutdownPrivilege 3452 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2224 wrote to memory of 2424 2224 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 80 PID 2424 wrote to memory of 5016 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 81 PID 2424 wrote to memory of 5016 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 81 PID 2424 wrote to memory of 5016 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 81 PID 2424 wrote to memory of 2864 2424 rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe 39 PID 2864 wrote to memory of 2364 2864 Explorer.EXE 67 PID 2864 wrote to memory of 2404 2864 Explorer.EXE 31 PID 2864 wrote to memory of 2516 2864 Explorer.EXE 33 PID 2864 wrote to memory of 3128 2864 Explorer.EXE 40 PID 2864 wrote to memory of 3296 2864 Explorer.EXE 45 PID 2864 wrote to memory of 3384 2864 Explorer.EXE 41 PID 2864 wrote to memory of 3452 2864 Explorer.EXE 42 PID 2864 wrote to memory of 3536 2864 Explorer.EXE 43 PID 2864 wrote to memory of 3736 2864 Explorer.EXE 44 PID 2864 wrote to memory of 4708 2864 Explorer.EXE 65 PID 2864 wrote to memory of 5016 2864 Explorer.EXE 81 PID 2864 wrote to memory of 5032 2864 Explorer.EXE 82
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2404
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2516
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe"C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exeC:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9042~1.BAT"4⤵PID:5016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5032
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3128
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3384
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3536
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3736
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3296
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3296 -s 3562⤵
- Program crash
PID:3184
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4708
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2364
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3296 -ip 32961⤵PID:3228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD53e2e3059941a1e44fe5386cb6db4c329
SHA19ad893a95b39d820bcb15f87bb8002805a617af4
SHA256074852bc8355fe5d663e35482fe11147f02c3674ebf801a769c42f19cf2c6f76
SHA5124e67c0e554479cdd34e09224c90147b6b2c1b84aed4c697fc78bdff2c2fb89518a9749e2d2456fa7eb33e78013326427eb91451f74acc16bd3203c35e67df58e