Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    165s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 07:54

General

  • Target

    b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe

  • Size

    204KB

  • MD5

    896bee8216e0354b2dce57cbf95fdcae

  • SHA1

    34bb0f59699b5a70c6e924a6128dbe8c4726fd33

  • SHA256

    b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90

  • SHA512

    e40efb01c47fa08a77985a8151bc75978e19a8a38f51ee12dcfdfd8a932b6920a97999bd1186c01405266d80fab718447d8edf18f649aeaa09e630ed3cfea427

  • SSDEEP

    6144:bcdOSKq1G5JU09zZd6n0xWWq2oM3/wCeeR0AI01Ak:wwi8Ugz+NG/wQvI0

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2396
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2408
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3404
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3504
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:3340
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3220
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                1⤵
                  PID:688
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3660
                  • C:\Windows\Explorer.EXE
                    C:\Windows\Explorer.EXE
                    1⤵
                      PID:2180
                      • C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
                        "C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"
                        2⤵
                        • Suspicious use of SetThreadContext
                        • Modifies Internet Explorer settings
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1260
                        • C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe
                          "C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe"
                          3⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3540
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5590700.bat"
                          3⤵
                            PID:2320
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              4⤵
                                PID:3112
                        • C:\Windows\system32\taskhostw.exe
                          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                          1⤵
                            PID:2572
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4660
                            • C:\Windows\system32\backgroundTaskHost.exe
                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
                              1⤵
                                PID:3032

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Roaming\Ifenk\ogutq.pii

                                Filesize

                                2KB

                                MD5

                                82eef1bec46c378cceb5b1ebcb991a99

                                SHA1

                                17b70c5fbce8044f86b05c45a559c3ff235ab717

                                SHA256

                                2dd84a5be36a603fdcee39501d067f92b9c1b6d6686b16426ce0eb70ebfbd084

                                SHA512

                                4bd448fddf18d1dd48005835cf8559139809288d6d0cc33b6d46e2951b56c4a87727b312d8ad9bc9ae36a0db5614249d88c4cda24feda25f0afa21c1b8e8b8e6

                              • C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe

                                Filesize

                                204KB

                                MD5

                                88cd86b527391ecc0a907deecb020df8

                                SHA1

                                f5a015c35c3258ff306e3769bc31fee6e18f4bde

                                SHA256

                                3b6bf61d8ee0fd4908f05e73e4a52d70cf2c6bcbee648292b52111c64f0d05aa

                                SHA512

                                8aef36531301157d5e2c14043f52742f07c677060b2c22d9d8902ff0b2d88e7ed5a24cf8dc82792ec1a1773f93ba43868f58554eec8b8c4a0700f3815aca57a8

                              • C:\Users\Admin\AppData\Roaming\Puerf\tafe.exe

                                Filesize

                                204KB

                                MD5

                                88cd86b527391ecc0a907deecb020df8

                                SHA1

                                f5a015c35c3258ff306e3769bc31fee6e18f4bde

                                SHA256

                                3b6bf61d8ee0fd4908f05e73e4a52d70cf2c6bcbee648292b52111c64f0d05aa

                                SHA512

                                8aef36531301157d5e2c14043f52742f07c677060b2c22d9d8902ff0b2d88e7ed5a24cf8dc82792ec1a1773f93ba43868f58554eec8b8c4a0700f3815aca57a8

                              • memory/1260-144-0x0000000002140000-0x000000000217B000-memory.dmp

                                Filesize

                                236KB

                              • memory/1260-134-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                              • memory/1260-133-0x0000000002090000-0x00000000020FA000-memory.dmp

                                Filesize

                                424KB

                              • memory/1260-143-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                              • memory/1260-132-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                              • memory/2320-142-0x0000000000140000-0x000000000017B000-memory.dmp

                                Filesize

                                236KB

                              • memory/2320-145-0x0000000000140000-0x000000000017B000-memory.dmp

                                Filesize

                                236KB

                              • memory/3540-138-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                              • memory/3540-139-0x00000000020D0000-0x000000000213A000-memory.dmp

                                Filesize

                                424KB

                              • memory/3540-146-0x0000000000400000-0x000000000046A000-memory.dmp

                                Filesize

                                424KB

                              • memory/3540-147-0x00000000020D0000-0x000000000213A000-memory.dmp

                                Filesize

                                424KB