Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe
-
Size
304KB
-
MD5
3c0da04705a9b5450498581694e019d0
-
SHA1
0d2690ebfd559d73568ea1c119c1f4c917c332c6
-
SHA256
facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1
-
SHA512
a86a4124c55a0db1fce6a424a654388fc2add2c57f226664ef581bffdb8d079562974bbe15cf01bb72d0b3fc523734b4fe9d599ed5e6546281464e76a8df4be9
-
SSDEEP
6144:YNfTZ82uLw6ZRPCbWt0xjuPrbYwUW/UZkCGsXQ5VMGAKfv:YBe2WwARCBxKP+SUZkC0TTf
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3368 syebd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run syebd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Syebd = "C:\\Users\\Admin\\AppData\\Roaming\\Ante\\syebd.exe" syebd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4644 set thread context of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81 -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe 3368 syebd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4644 wrote to memory of 3368 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 80 PID 4644 wrote to memory of 3368 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 80 PID 4644 wrote to memory of 3368 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 80 PID 3368 wrote to memory of 2484 3368 syebd.exe 49 PID 3368 wrote to memory of 2484 3368 syebd.exe 49 PID 3368 wrote to memory of 2484 3368 syebd.exe 49 PID 3368 wrote to memory of 2484 3368 syebd.exe 49 PID 3368 wrote to memory of 2484 3368 syebd.exe 49 PID 3368 wrote to memory of 2512 3368 syebd.exe 48 PID 3368 wrote to memory of 2512 3368 syebd.exe 48 PID 3368 wrote to memory of 2512 3368 syebd.exe 48 PID 3368 wrote to memory of 2512 3368 syebd.exe 48 PID 3368 wrote to memory of 2512 3368 syebd.exe 48 PID 3368 wrote to memory of 2604 3368 syebd.exe 46 PID 3368 wrote to memory of 2604 3368 syebd.exe 46 PID 3368 wrote to memory of 2604 3368 syebd.exe 46 PID 3368 wrote to memory of 2604 3368 syebd.exe 46 PID 3368 wrote to memory of 2604 3368 syebd.exe 46 PID 3368 wrote to memory of 2556 3368 syebd.exe 54 PID 3368 wrote to memory of 2556 3368 syebd.exe 54 PID 3368 wrote to memory of 2556 3368 syebd.exe 54 PID 3368 wrote to memory of 2556 3368 syebd.exe 54 PID 3368 wrote to memory of 2556 3368 syebd.exe 54 PID 3368 wrote to memory of 764 3368 syebd.exe 55 PID 3368 wrote to memory of 764 3368 syebd.exe 55 PID 3368 wrote to memory of 764 3368 syebd.exe 55 PID 3368 wrote to memory of 764 3368 syebd.exe 55 PID 3368 wrote to memory of 764 3368 syebd.exe 55 PID 3368 wrote to memory of 3252 3368 syebd.exe 57 PID 3368 wrote to memory of 3252 3368 syebd.exe 57 PID 3368 wrote to memory of 3252 3368 syebd.exe 57 PID 3368 wrote to memory of 3252 3368 syebd.exe 57 PID 3368 wrote to memory of 3252 3368 syebd.exe 57 PID 3368 wrote to memory of 3352 3368 syebd.exe 56 PID 3368 wrote to memory of 3352 3368 syebd.exe 56 PID 3368 wrote to memory of 3352 3368 syebd.exe 56 PID 3368 wrote to memory of 3352 3368 syebd.exe 56 PID 3368 wrote to memory of 3352 3368 syebd.exe 56 PID 3368 wrote to memory of 3420 3368 syebd.exe 78 PID 3368 wrote to memory of 3420 3368 syebd.exe 78 PID 3368 wrote to memory of 3420 3368 syebd.exe 78 PID 3368 wrote to memory of 3420 3368 syebd.exe 78 PID 3368 wrote to memory of 3420 3368 syebd.exe 78 PID 3368 wrote to memory of 3512 3368 syebd.exe 77 PID 3368 wrote to memory of 3512 3368 syebd.exe 77 PID 3368 wrote to memory of 3512 3368 syebd.exe 77 PID 3368 wrote to memory of 3512 3368 syebd.exe 77 PID 3368 wrote to memory of 3512 3368 syebd.exe 77 PID 3368 wrote to memory of 3740 3368 syebd.exe 58 PID 3368 wrote to memory of 3740 3368 syebd.exe 58 PID 3368 wrote to memory of 3740 3368 syebd.exe 58 PID 3368 wrote to memory of 3740 3368 syebd.exe 58 PID 3368 wrote to memory of 3740 3368 syebd.exe 58 PID 3368 wrote to memory of 4644 3368 syebd.exe 79 PID 3368 wrote to memory of 4644 3368 syebd.exe 79 PID 3368 wrote to memory of 4644 3368 syebd.exe 79 PID 3368 wrote to memory of 4644 3368 syebd.exe 79 PID 3368 wrote to memory of 4644 3368 syebd.exe 79 PID 4644 wrote to memory of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81 PID 4644 wrote to memory of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81 PID 4644 wrote to memory of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81 PID 4644 wrote to memory of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81 PID 4644 wrote to memory of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81 PID 4644 wrote to memory of 4716 4644 facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe 81
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2512
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2484
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe"C:\Users\Admin\AppData\Local\Temp\facc8036722c382d5991ca90cec3fdb8a4a89058d06bc558f144ee2f50a590f1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Roaming\Ante\syebd.exe"C:\Users\Admin\AppData\Roaming\Ante\syebd.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\QJQEFF0.bat"3⤵PID:4716
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3252
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303B
MD596085d6d46229092184775b0facd83c6
SHA119484560422baa28c1f953eab02e5e2010802778
SHA256984858f82c279bda00a9fb40c5ffe924214d4089d55184132f66429fc006f791
SHA512ec9605ff9537fe5a518793b9ad807a5a39a46edd3d9eafbc5caed77962abde5a14113769af4ac2a8402c2df2f89ec7e6a5cbdb9a271a0ebd6a962ecc8ab0a071
-
Filesize
304KB
MD5b774fff710a3dfad5312fb4b050ecf1c
SHA127534a16ada4faaa656c3aacbaa4a221b928198e
SHA2569cf302625142a55a80b757f13a5957e3bbb9e7b1e992910ae258a0dafa059d05
SHA51206418ff9676aa09dae5988a6d6fd7880776f6027d733a4be6121bd9435b366cb0e6e00ebff5587789789e32a692420e56fa16d5c925040f994c284af83864069
-
Filesize
304KB
MD5b774fff710a3dfad5312fb4b050ecf1c
SHA127534a16ada4faaa656c3aacbaa4a221b928198e
SHA2569cf302625142a55a80b757f13a5957e3bbb9e7b1e992910ae258a0dafa059d05
SHA51206418ff9676aa09dae5988a6d6fd7880776f6027d733a4be6121bd9435b366cb0e6e00ebff5587789789e32a692420e56fa16d5c925040f994c284af83864069