Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
204s -
max time network
238s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Resource
win10v2004-20221111-en
General
-
Target
b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
-
Size
76KB
-
MD5
09206a5702f3f9b40ca5e8fef7cc82c0
-
SHA1
5cbf21438667bd9e9e3363a26de6706a232ab9f6
-
SHA256
b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce
-
SHA512
63c6dcaed8ce4985ec98dd09054a5559ce63a68909f723ef24eb050724f12b05054fc5fefabc1217b4d5e71f997066de51088709eefee3ce3b41202557d3cd8f
-
SSDEEP
1536:2FbeITsAro5ZNjzFmAa6IBA2oESRU1UmxIyYclkOZB4NgbeG/H4m5u1FaeeW:2FawsA+HjzFmRa2Mpy28C2bD/H4m5u1P
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3732 MSWDM.EXE 2912 MSWDM.EXE 1424 B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE 1492 MSWDM.EXE -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Program Files directory 19 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe MSWDM.EXE File opened for modification C:\Program Files\7-Zip\7zG.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe MSWDM.EXE File opened for modification C:\Program Files\7-Zip\7z.exe MSWDM.EXE File opened for modification C:\Program Files\7-Zip\Uninstall.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe MSWDM.EXE File opened for modification C:\Program Files\7-Zip\7zFM.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe MSWDM.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe MSWDM.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\devBE4F.tmp b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe File opened for modification C:\Windows\devBE4F.tmp MSWDM.EXE File opened for modification C:\Windows\dieBE4F.tmp MSWDM.EXE File created C:\Windows\dieBE4F.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2912 MSWDM.EXE 2912 MSWDM.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 344 wrote to memory of 3732 344 b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe 82 PID 344 wrote to memory of 3732 344 b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe 82 PID 344 wrote to memory of 3732 344 b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe 82 PID 344 wrote to memory of 2912 344 b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe 83 PID 344 wrote to memory of 2912 344 b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe 83 PID 344 wrote to memory of 2912 344 b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe 83 PID 2912 wrote to memory of 1424 2912 MSWDM.EXE 84 PID 2912 wrote to memory of 1424 2912 MSWDM.EXE 84 PID 2912 wrote to memory of 1424 2912 MSWDM.EXE 84 PID 2912 wrote to memory of 1492 2912 MSWDM.EXE 85 PID 2912 wrote to memory of 1492 2912 MSWDM.EXE 85 PID 2912 wrote to memory of 1492 2912 MSWDM.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe"C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:344 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3732
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\devBE4F.tmp!C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
- Executes dropped EXE
PID:1424
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\devBE4F.tmp!C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
Filesize76KB
MD55ab5db7608ac8e2a325770fe2015691a
SHA1eba40d2d41d8270d1e53dbdbad05f2580252c421
SHA256669f490eddb5ecbb3b765e5a1396bd952e6918e23e241ea052bcf8832b9a2d85
SHA512e24a8ed9b49d60330cfe79d2f0988c8091d2251f99d95ecb204d1226b802a2c1761e27077b8bfa6f59b7019b3a2b6ea28411a138691a413eeaa181a9078734e5
-
C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
Filesize76KB
MD55ab5db7608ac8e2a325770fe2015691a
SHA1eba40d2d41d8270d1e53dbdbad05f2580252c421
SHA256669f490eddb5ecbb3b765e5a1396bd952e6918e23e241ea052bcf8832b9a2d85
SHA512e24a8ed9b49d60330cfe79d2f0988c8091d2251f99d95ecb204d1226b802a2c1761e27077b8bfa6f59b7019b3a2b6ea28411a138691a413eeaa181a9078734e5
-
C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Filesize38KB
MD56d787fdf93de266ce25378fb362df011
SHA100ed94c8d2041eecc24a69fe99e0fdbb043fafe3
SHA25672fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5
SHA5120a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2
-
Filesize
38KB
MD51745587f0e55f4c48528f7553682d5c9
SHA1fbb3daebded21562ef52fec49b25de46e9ceda21
SHA25639186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b
SHA5120c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518
-
Filesize
38KB
MD51745587f0e55f4c48528f7553682d5c9
SHA1fbb3daebded21562ef52fec49b25de46e9ceda21
SHA25639186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b
SHA5120c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518
-
Filesize
38KB
MD51745587f0e55f4c48528f7553682d5c9
SHA1fbb3daebded21562ef52fec49b25de46e9ceda21
SHA25639186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b
SHA5120c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518
-
Filesize
38KB
MD51745587f0e55f4c48528f7553682d5c9
SHA1fbb3daebded21562ef52fec49b25de46e9ceda21
SHA25639186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b
SHA5120c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518
-
Filesize
38KB
MD56d787fdf93de266ce25378fb362df011
SHA100ed94c8d2041eecc24a69fe99e0fdbb043fafe3
SHA25672fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5
SHA5120a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2