Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 07:54
Static task
static1
Behavioral task
behavioral1
Sample
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Resource
win10v2004-20220812-en
General
-
Target
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
-
Size
204KB
-
MD5
896bee8216e0354b2dce57cbf95fdcae
-
SHA1
34bb0f59699b5a70c6e924a6128dbe8c4726fd33
-
SHA256
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90
-
SHA512
e40efb01c47fa08a77985a8151bc75978e19a8a38f51ee12dcfdfd8a932b6920a97999bd1186c01405266d80fab718447d8edf18f649aeaa09e630ed3cfea427
-
SSDEEP
6144:bcdOSKq1G5JU09zZd6n0xWWq2oM3/wCeeR0AI01Ak:wwi8Ugz+NG/wQvI0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3540 tafe.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\Currentversion\Run tafe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run tafe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhucm = "C:\\Users\\Admin\\AppData\\Roaming\\Puerf\\tafe.exe" tafe.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1260 set thread context of 2320 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 80 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Privacy b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe 3540 tafe.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeSecurityPrivilege 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 3540 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 79 PID 1260 wrote to memory of 3540 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 79 PID 1260 wrote to memory of 3540 1260 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 79 PID 3540 wrote to memory of 2396 3540 tafe.exe 19 PID 3540 wrote to memory of 2396 3540 tafe.exe 19 PID 3540 wrote to memory of 2396 3540 tafe.exe 19 PID 3540 wrote to memory of 2396 3540 tafe.exe 19 PID 3540 wrote to memory of 2396 3540 tafe.exe 19 PID 3540 wrote to memory of 2408 3540 tafe.exe 28 PID 3540 wrote to memory of 2408 3540 tafe.exe 28 PID 3540 wrote to memory of 2408 3540 tafe.exe 28 PID 3540 wrote to memory of 2408 3540 tafe.exe 28 PID 3540 wrote to memory of 2408 3540 tafe.exe 28 PID 3540 wrote to memory of 2572 3540 tafe.exe 41 PID 3540 wrote to memory of 2572 3540 tafe.exe 41 PID 3540 wrote to memory of 2572 3540 tafe.exe 41 PID 3540 wrote to memory of 2572 3540 tafe.exe 41 PID 3540 wrote to memory of 2572 3540 tafe.exe 41 PID 3540 wrote to memory of 2180 3540 tafe.exe 39 PID 3540 wrote to memory of 2180 3540 tafe.exe 39 PID 3540 wrote to memory of 2180 3540 tafe.exe 39 PID 3540 wrote to memory of 2180 3540 tafe.exe 39 PID 3540 wrote to memory of 2180 3540 tafe.exe 39 PID 3540 wrote to memory of 688 3540 tafe.exe 37 PID 3540 wrote to memory of 688 3540 tafe.exe 37 PID 3540 wrote to memory of 688 3540 tafe.exe 37 PID 3540 wrote to memory of 688 3540 tafe.exe 37 PID 3540 wrote to memory of 688 3540 tafe.exe 37 PID 3540 wrote to memory of 3220 3540 tafe.exe 36 PID 3540 wrote to memory of 3220 3540 tafe.exe 36 PID 3540 wrote to memory of 3220 3540 tafe.exe 36 PID 3540 wrote to memory of 3220 3540 tafe.exe 36 PID 3540 wrote to memory of 3220 3540 tafe.exe 36 PID 3540 wrote to memory of 3340 3540 tafe.exe 35 PID 3540 wrote to memory of 3340 3540 tafe.exe 35 PID 3540 wrote to memory of 3340 3540 tafe.exe 35 PID 3540 wrote to memory of 3340 3540 tafe.exe 35 PID 3540 wrote to memory of 3340 3540 tafe.exe 35 PID 3540 wrote to memory of 3404 3540 tafe.exe 33 PID 3540 wrote to memory of 3404 3540 tafe.exe 33 PID 3540 wrote to memory of 3404 3540 tafe.exe 33 PID 3540 wrote to memory of 3404 3540 tafe.exe 33 PID 3540 wrote to memory of 3404 3540 tafe.exe 33 PID 3540 wrote to memory of 3504 3540 tafe.exe 34 PID 3540 wrote to memory of 3504 3540 tafe.exe 34 PID 3540 wrote to memory of 3504 3540 tafe.exe 34 PID 3540 wrote to memory of 3504 3540 tafe.exe 34 PID 3540 wrote to memory of 3504 3540 tafe.exe 34 PID 3540 wrote to memory of 3660 3540 tafe.exe 38 PID 3540 wrote to memory of 3660 3540 tafe.exe 38 PID 3540 wrote to memory of 3660 3540 tafe.exe 38 PID 3540 wrote to memory of 3660 3540 tafe.exe 38 PID 3540 wrote to memory of 3660 3540 tafe.exe 38 PID 3540 wrote to memory of 4660 3540 tafe.exe 51 PID 3540 wrote to memory of 4660 3540 tafe.exe 51 PID 3540 wrote to memory of 4660 3540 tafe.exe 51 PID 3540 wrote to memory of 4660 3540 tafe.exe 51 PID 3540 wrote to memory of 4660 3540 tafe.exe 51 PID 3540 wrote to memory of 3032 3540 tafe.exe 72 PID 3540 wrote to memory of 3032 3540 tafe.exe 72 PID 3540 wrote to memory of 3032 3540 tafe.exe 72 PID 3540 wrote to memory of 3032 3540 tafe.exe 72 PID 3540 wrote to memory of 3032 3540 tafe.exe 72 PID 3540 wrote to memory of 1260 3540 tafe.exe 78
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3504
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3340
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:688
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3660
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe"C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5590700.bat"3⤵PID:2320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3112
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4660
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD582eef1bec46c378cceb5b1ebcb991a99
SHA117b70c5fbce8044f86b05c45a559c3ff235ab717
SHA2562dd84a5be36a603fdcee39501d067f92b9c1b6d6686b16426ce0eb70ebfbd084
SHA5124bd448fddf18d1dd48005835cf8559139809288d6d0cc33b6d46e2951b56c4a87727b312d8ad9bc9ae36a0db5614249d88c4cda24feda25f0afa21c1b8e8b8e6
-
Filesize
204KB
MD588cd86b527391ecc0a907deecb020df8
SHA1f5a015c35c3258ff306e3769bc31fee6e18f4bde
SHA2563b6bf61d8ee0fd4908f05e73e4a52d70cf2c6bcbee648292b52111c64f0d05aa
SHA5128aef36531301157d5e2c14043f52742f07c677060b2c22d9d8902ff0b2d88e7ed5a24cf8dc82792ec1a1773f93ba43868f58554eec8b8c4a0700f3815aca57a8
-
Filesize
204KB
MD588cd86b527391ecc0a907deecb020df8
SHA1f5a015c35c3258ff306e3769bc31fee6e18f4bde
SHA2563b6bf61d8ee0fd4908f05e73e4a52d70cf2c6bcbee648292b52111c64f0d05aa
SHA5128aef36531301157d5e2c14043f52742f07c677060b2c22d9d8902ff0b2d88e7ed5a24cf8dc82792ec1a1773f93ba43868f58554eec8b8c4a0700f3815aca57a8