Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 06:16 UTC
Static task
static1
Behavioral task
behavioral1
Sample
07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
Resource
win10v2004-20221111-en
General
-
Target
07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
-
Size
655KB
-
MD5
50bce9ba70d6529eb7a26ede8d584950
-
SHA1
3929bc52d33e6182b6f6e99e83949ea84987d1c0
-
SHA256
07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd
-
SHA512
ab25cc25fdb4ae227b16278138842b8616cf61e7fe4c72614afcb48f77bfe61ea547b564e25987d8a7896a9968b14909f60d46095d5446594a21504a862db858
-
SSDEEP
1536:1BQZjlDtdDkM0ncL79l1wUEkWLj3uWHmdmLoys5IJ+I7KyALeoIk0lYUTPj68:eJtdYEf9REkwjjSQs5IUI7GCoI/lLn
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Bwvauwd = "C:\\Windows\\SysWOW64\\secprocz.exe" 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe -
Executes dropped EXE 1 IoCs
pid Process 5052 secprocz.exe -
resource yara_rule behavioral2/memory/2148-134-0x0000000000650000-0x00000000006F9000-memory.dmp upx behavioral2/memory/2148-138-0x0000000000650000-0x00000000006F9000-memory.dmp upx behavioral2/memory/2148-137-0x0000000000650000-0x00000000006F9000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\secprocz.exe 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe File opened for modification C:\Windows\SysWOW64\secprocz.exe 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe 5052 secprocz.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe Token: SeDebugPrivilege 5052 secprocz.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 5052 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 81 PID 2148 wrote to memory of 5052 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 81 PID 2148 wrote to memory of 5052 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 81 PID 2148 wrote to memory of 176 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 83 PID 2148 wrote to memory of 176 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 83 PID 2148 wrote to memory of 176 2148 07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe"C:\Users\Admin\AppData\Local\Temp\07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe"1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\secprocz.exeC:\Windows\SysWOW64\secprocz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins3101.bat "C:\Users\Admin\AppData\Local\Temp\07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe"2⤵PID:176
-
Network
-
Remote address:8.8.8.8:53Requestfasternation.netIN AResponse
-
Remote address:8.8.8.8:53Requestfasternation.netIN AResponse
-
Remote address:8.8.8.8:53Requestfasternation.netIN AResponse
-
Remote address:8.8.8.8:53Requestfasternation.netIN AResponse
-
Remote address:8.8.8.8:53Requestwww.sanctionedmedia.comIN AResponsewww.sanctionedmedia.comIN A204.11.56.37
-
Remote address:8.8.8.8:53Request96.108.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestd.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
46 B 40 B 1 1
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
8.8.8.8:53fasternation.netdns07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe62 B 135 B 1 1
DNS Request
fasternation.net
-
8.8.8.8:53fasternation.netdns07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe62 B 135 B 1 1
DNS Request
fasternation.net
-
8.8.8.8:53fasternation.netdns07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe62 B 135 B 1 1
DNS Request
fasternation.net
-
8.8.8.8:53fasternation.netdns07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe62 B 135 B 1 1
DNS Request
fasternation.net
-
69 B 85 B 1 1
DNS Request
www.sanctionedmedia.com
DNS Response
204.11.56.37
-
72 B 146 B 1 1
DNS Request
96.108.152.52.in-addr.arpa
-
118 B 204 B 1 1
DNS Request
d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
173KB
MD557d736c7e8f4fc9c8d57939586d72373
SHA11fd48b939b0f3d6912fc587c919047347e2bec8e
SHA256bc820e092cca77b13f1536fb744297e0988f91d366d08a0ed8da96e958523db8
SHA51295fd7bac7a43cdc63c7879fd4355cccbe601beeff23b0597c14b2782ae0d6bfcf200a78521b6c032d2a8c7333347267ab33ad21e4c27298fb83871e071738dd4
-
Filesize
173KB
MD557d736c7e8f4fc9c8d57939586d72373
SHA11fd48b939b0f3d6912fc587c919047347e2bec8e
SHA256bc820e092cca77b13f1536fb744297e0988f91d366d08a0ed8da96e958523db8
SHA51295fd7bac7a43cdc63c7879fd4355cccbe601beeff23b0597c14b2782ae0d6bfcf200a78521b6c032d2a8c7333347267ab33ad21e4c27298fb83871e071738dd4