Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe
-
Size
1.2MB
-
MD5
e826dd93eaf42cb082606e37543e9bba
-
SHA1
72062694acd03db50bb45e1da80500cc23171afe
-
SHA256
a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a
-
SHA512
6123e615b93657bb96fdb7442703186a1182ff61d44128217c2646073a0e154fd657be1282c35711c96ed3eff0d8a28bc98d88b94b97ce838ccfa43dbba036d5
-
SSDEEP
24576:j0ygUZcPs1/qp0HGNJMIWYTGfArcmZUOVrB3a5H290J:joXPDypDYTZTZpVrL90
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "\x01" cs.exe -
Executes dropped EXE 1 IoCs
pid Process 4304 cs.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "\x01" cs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "\x01" cs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSec = "C:\\Program Files (x86)\\CSec\\cs.exe" a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run cs.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSec = "C:\\Program Files (x86)\\CSec\\cs.exe" cs.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\F: cs.exe File opened (read-only) \??\J: cs.exe File opened (read-only) \??\L: cs.exe File opened (read-only) \??\H: cs.exe File opened (read-only) \??\X: cs.exe File opened (read-only) \??\G: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\N: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\R: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\Y: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\I: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\S: cs.exe File opened (read-only) \??\Q: cs.exe File opened (read-only) \??\R: cs.exe File opened (read-only) \??\U: cs.exe File opened (read-only) \??\E: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\F: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\H: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\G: cs.exe File opened (read-only) \??\M: cs.exe File opened (read-only) \??\P: cs.exe File opened (read-only) \??\Z: cs.exe File opened (read-only) \??\Q: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\T: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\X: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\I: cs.exe File opened (read-only) \??\N: cs.exe File opened (read-only) \??\J: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\K: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\P: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\Z: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\O: cs.exe File opened (read-only) \??\T: cs.exe File opened (read-only) \??\V: cs.exe File opened (read-only) \??\W: cs.exe File opened (read-only) \??\O: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\U: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\E: cs.exe File opened (read-only) \??\K: cs.exe File opened (read-only) \??\Y: cs.exe File opened (read-only) \??\L: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\S: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\V: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened (read-only) \??\W: a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\CSec\cs.exe a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened for modification C:\Program Files (x86)\CSec\cs.exe a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File created C:\Program Files (x86)\Common Files\CSecUninstall\Uninstall.lnk a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe File opened for modification C:\Program Files (x86)\Common Files\CSecUninstall\Uninstall.lnk cs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier cs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeCreateTokenPrivilege 4304 cs.exe Token: SeAssignPrimaryTokenPrivilege 4304 cs.exe Token: SeLockMemoryPrivilege 4304 cs.exe Token: SeIncreaseQuotaPrivilege 4304 cs.exe Token: SeMachineAccountPrivilege 4304 cs.exe Token: SeTcbPrivilege 4304 cs.exe Token: SeSecurityPrivilege 4304 cs.exe Token: SeTakeOwnershipPrivilege 4304 cs.exe Token: SeLoadDriverPrivilege 4304 cs.exe Token: SeSystemProfilePrivilege 4304 cs.exe Token: SeSystemtimePrivilege 4304 cs.exe Token: SeProfSingleProcessPrivilege 4304 cs.exe Token: SeIncBasePriorityPrivilege 4304 cs.exe Token: SeCreatePagefilePrivilege 4304 cs.exe Token: SeCreatePermanentPrivilege 4304 cs.exe Token: SeBackupPrivilege 4304 cs.exe Token: SeRestorePrivilege 4304 cs.exe Token: SeShutdownPrivilege 4304 cs.exe Token: SeDebugPrivilege 4304 cs.exe Token: SeAuditPrivilege 4304 cs.exe Token: SeSystemEnvironmentPrivilege 4304 cs.exe Token: SeChangeNotifyPrivilege 4304 cs.exe Token: SeRemoteShutdownPrivilege 4304 cs.exe Token: SeUndockPrivilege 4304 cs.exe Token: SeSyncAgentPrivilege 4304 cs.exe Token: SeEnableDelegationPrivilege 4304 cs.exe Token: SeManageVolumePrivilege 4304 cs.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe 4304 cs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4304 cs.exe 4304 cs.exe 4304 cs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1724 wrote to memory of 4304 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 81 PID 1724 wrote to memory of 4304 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 81 PID 1724 wrote to memory of 4304 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 81 PID 1724 wrote to memory of 3968 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 82 PID 1724 wrote to memory of 3968 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 82 PID 1724 wrote to memory of 3968 1724 a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe"C:\Users\Admin\AppData\Local\Temp\a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Program Files (x86)\CSec\cs.exe"C:\Program Files (x86)\CSec\cs.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4304
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A1DE0A~1.EXE > nul2⤵PID:3968
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5e826dd93eaf42cb082606e37543e9bba
SHA172062694acd03db50bb45e1da80500cc23171afe
SHA256a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a
SHA5126123e615b93657bb96fdb7442703186a1182ff61d44128217c2646073a0e154fd657be1282c35711c96ed3eff0d8a28bc98d88b94b97ce838ccfa43dbba036d5
-
Filesize
1.2MB
MD5e826dd93eaf42cb082606e37543e9bba
SHA172062694acd03db50bb45e1da80500cc23171afe
SHA256a1de0a76e4fcad4e2f7a7cfc8fb02cb5b2b64a99212e75fb883721430d8f065a
SHA5126123e615b93657bb96fdb7442703186a1182ff61d44128217c2646073a0e154fd657be1282c35711c96ed3eff0d8a28bc98d88b94b97ce838ccfa43dbba036d5
-
Filesize
1KB
MD5806979f32b039a185aefe3ac06bd5134
SHA1de39ec040474fd994169abc51785fbe87218f0f3
SHA25637a4ed75c35276a0b1fb148279b775343ac78520e9afe0173942007eba4c5155
SHA5120d2bb659c6cedf5b7e5a98abefe60e51a4653717ad38b1889b57955a3732e22eaa2a28cbdd03216b747a2eb2e0cad970a2f8279eaee1e19d770a53aef3080399
-
Filesize
1KB
MD5c383fd3f4f29f4604feebda9071eca68
SHA1b9e1811b799e2f8696d9d84767248326682a0d95
SHA256d69305c7b1d690f58606b107a804c8b00dc3f5a26d1499dc232551751fe97081
SHA512caeb280bc85c50f02635ed1d74e8034ee6c58eb8e7f3872570275db4b9b63282fc856b3323d90d7aa5ecb54d19d2463b7118be40baf66bf5841c1213541ce654
-
Filesize
1KB
MD58330cede3578b3e68728d3b9dcb49fd3
SHA1bdaa74d1f30346a4b478f218914be6b9ec6c6ebd
SHA2569ad3ba1f1be35565deac3ace2cbae7fbb9c7bac1e1ad536b02cac195b746a38e
SHA512a912e0574f6aa2ca48a7abbc1036300bdf558b7da1cdc009a62fffa5f1b54f371cc800b481019f166e277a5dd21897ddd489b6d9451a49befd79d13789d23dc7
-
Filesize
1KB
MD570b8a75f0ff72fcf365595e1ec0cc541
SHA1251dff20f7f0499fec368ef94665eaa74e637013
SHA2566fbc82c99c43808fdf2f2791d86099467fa67039e6ce962c6cd7c345ef0089aa
SHA51291aa46c72cc808d74a7d60b69dd9ced5295a64e7cbd931daef6179988f39302f644a18d65f572fc21a30a90582dfb2e0eabb88a9b8ba6dc7a6778ab4381cf487
-
Filesize
1KB
MD55b7fbd1584a8d5deb16cc57fbb858753
SHA11c0b2fc4c139df3f3ed1b680f41fdef9670125cf
SHA256057ac2dab8a620cd452b75abfd30fdfcda53254e5812244d4305ca901d0a8b8a
SHA512a217f5486acf083cec7c89346195654596f6c740206392e5b3361852a3d9b915dadb1e0c7d90a5b17da004321f1bd601f58f2cab26c0adc3df46fe2e7de84fd6
-
Filesize
1KB
MD55ce1d24f55870e9cb94ee9d527cb99fa
SHA1b3851c06ff92b57e4e8a62b5f67939b8caf192ef
SHA256fca899dcf7a043f99334284f3f24997abb9114d2df94bc839cf8319b0b03e485
SHA512b33daf5028c59e4c3e612d443d9faeaeddd2af2e39f81caf246bce7726511ee1fccfbb3a06dfffb79ca96d54e84b9ffcd3ef29ea1269fff217121f80193af0cd
-
Filesize
1KB
MD59ac28052ebf318cd686fd4bb63bbc52a
SHA1eead39770a71209ee1567a2419d38538c25a2734
SHA2561de2a87705b3b11f970afc0941dc1c0ca12b80c642fdad7bf68d1da0d1bd2652
SHA51285cf5f78159930b9c86c2cefe697e9e86901542defc0a94a44e2887f6e0b6af649cffc47a98e80116cf17a91d95a901564f09ff9c762b44bacd79abcecc581b8
-
Filesize
1KB
MD5098363b830ef00557ae083727c445c6d
SHA1dad6497519b6cf3f2be64d0dab9f6e9208c10e2f
SHA2568ba802ae3e38df7225abf459a07a059a2847bd069ce210d1a414f73b91044357
SHA5122fa5b418320acc96f97b005d737537c82c351bebc83c84f572bc6c558efdee1ee2915c0acf665fb5ece729065d10dda365c64ed6b39845e4c1180a2e2c368a4c