Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
98s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 04:36
Static task
static1
Behavioral task
behavioral1
Sample
4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe
Resource
win10v2004-20220812-en
General
-
Target
4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe
-
Size
164KB
-
MD5
16a4f72a115d2ba72770bbc53dda8d50
-
SHA1
e8a1167df93b6f5cc40cfa8f78fa14144b8735b1
-
SHA256
4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b
-
SHA512
2d2b8a4dceebf0a6576c6b979e30ba476e060e99ffd36a26b8966ec18cc287e099a46db6d39732be52a42432c38de49ca573062e03395abd0ffbd140addbd530
-
SSDEEP
3072:wJfrOsX6d5/hadTRl6ZghWyZokJZ1dTzcTWyQ9:kqKahadTPOspJZvT
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Syzmze = "C:\\Users\\Admin\\AppData\\Roaming\\Syzmze.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4956 set thread context of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2822056549" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D0F478BD-72E6-11ED-AECB-F6DE28FD18F9} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000307" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2822056549" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2920026077" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000307" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376822106" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000307" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe Token: SeDebugPrivilege 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe Token: SeDebugPrivilege 2828 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4644 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4644 IEXPLORE.EXE 4644 IEXPLORE.EXE 4472 IEXPLORE.EXE 4472 IEXPLORE.EXE 4472 IEXPLORE.EXE 4472 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4956 wrote to memory of 4420 4956 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 80 PID 4420 wrote to memory of 2828 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 81 PID 4420 wrote to memory of 2828 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 81 PID 4420 wrote to memory of 2828 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 81 PID 4420 wrote to memory of 2828 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 81 PID 2828 wrote to memory of 4644 2828 iexplore.exe 82 PID 2828 wrote to memory of 4644 2828 iexplore.exe 82 PID 4420 wrote to memory of 2828 4420 4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe 81 PID 4644 wrote to memory of 4472 4644 IEXPLORE.EXE 83 PID 4644 wrote to memory of 4472 4644 IEXPLORE.EXE 83 PID 4644 wrote to memory of 4472 4644 IEXPLORE.EXE 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe"C:\Users\Admin\AppData\Local\Temp\4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exeC:\Users\Admin\AppData\Local\Temp\4da9f92d28de874298753061a63b7843e4fa03bc2fec3bddc4124dbcbb18da6b.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4472
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD54132c54f59c529167c112e7f519120fa
SHA194cc9036fa031258aa744c7ee88e3c0b6c7a73da
SHA256e9f456cf8bb8cc4a683d1c2f792feeb4c83fff24a86e6bcb260eff8fbff126fb
SHA512e8efb8e81a90ffbe177301fbba4470ded104fc6d12cfa0123938b981d612eb2c4a66bb47b585cd43ed6ed4940e0ad5a1e3a5d9d18f8cb643e741aae694c4baee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5eeb17b3cf6e54a06d7fc727ae09194d5
SHA1c9ac9ee38ce3029750cdcead648a5d7ae8dbcdff
SHA256975cee6aaabb844b5d74b80c665ce8154ed284f8366867deb4ebfd721c7ca08a
SHA512baf6116308c8b20c0dcf25ce46436994e5fccf3ef22e138b38ef3b7289432fde5177e3d938c90debe7f5060d3a814326c708be3d1fa4cd9417a72af45e6da576