Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe
Resource
win10v2004-20220812-en
General
-
Target
a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe
-
Size
92KB
-
MD5
63449fad78f9e9e13ee519f9b37e591a
-
SHA1
f11b49f95ef9714d322b4f912c82e7ed5d18c338
-
SHA256
a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839
-
SHA512
e1e0b88ce7116e8becf3d44ea3d3194af582791cfdfba66823b840700cc2bdb4f653713897a3ad13fa30f25d233414219ec119ed49e4ca13c8b5416511479a36
-
SSDEEP
1536:GT76uMyhLtB3eW7soSYT0hPvbVG/ocUhQoF/WVvVSfU5EhJB:GTqyhnjT0pYQ3QPTo
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4676 service141.exe 4996 service141.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run service141.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\service141.exe" service141.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run service141.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\service141.exe" service141.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: service141.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\service141.exe" service141.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2304 set thread context of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 4676 set thread context of 4996 4676 service141.exe 82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4996 service141.exe 4996 service141.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4248 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe Token: SeDebugPrivilege 4996 service141.exe Token: SeDebugPrivilege 4996 service141.exe Token: SeDebugPrivilege 4996 service141.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 2304 wrote to memory of 4248 2304 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 80 PID 4248 wrote to memory of 4676 4248 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 81 PID 4248 wrote to memory of 4676 4248 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 81 PID 4248 wrote to memory of 4676 4248 a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe 81 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4676 wrote to memory of 4996 4676 service141.exe 82 PID 4996 wrote to memory of 2524 4996 service141.exe 59 PID 4996 wrote to memory of 2524 4996 service141.exe 59
Processes
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe"C:\Users\Admin\AppData\Local\Temp\a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe"C:\Users\Admin\AppData\Local\Temp\a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Roaming\service141.exe-n3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Roaming\service141.exe-n4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD563449fad78f9e9e13ee519f9b37e591a
SHA1f11b49f95ef9714d322b4f912c82e7ed5d18c338
SHA256a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839
SHA512e1e0b88ce7116e8becf3d44ea3d3194af582791cfdfba66823b840700cc2bdb4f653713897a3ad13fa30f25d233414219ec119ed49e4ca13c8b5416511479a36
-
Filesize
92KB
MD563449fad78f9e9e13ee519f9b37e591a
SHA1f11b49f95ef9714d322b4f912c82e7ed5d18c338
SHA256a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839
SHA512e1e0b88ce7116e8becf3d44ea3d3194af582791cfdfba66823b840700cc2bdb4f653713897a3ad13fa30f25d233414219ec119ed49e4ca13c8b5416511479a36
-
Filesize
92KB
MD563449fad78f9e9e13ee519f9b37e591a
SHA1f11b49f95ef9714d322b4f912c82e7ed5d18c338
SHA256a5885afbcac1bb6f36ab672df0e399008d012d53e677f404b3abbde6b0c41839
SHA512e1e0b88ce7116e8becf3d44ea3d3194af582791cfdfba66823b840700cc2bdb4f653713897a3ad13fa30f25d233414219ec119ed49e4ca13c8b5416511479a36