Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 21:55
Static task
static1
Behavioral task
behavioral1
Sample
31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe
Resource
win10v2004-20220812-en
General
-
Target
31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe
-
Size
505KB
-
MD5
4d29c344dad1402d73c8fb892e8d5273
-
SHA1
c84b28dd9f7de1d7d095339ea2f6d3b16345afe8
-
SHA256
31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3
-
SHA512
18d7f92256a527d8caac2a03d06dc1cb20974d25ca56aa92225e386d1be2acb97777e5f162dfe1287c444b4a82389d18ce1bcfedc4c6c16e96d2214d036eaba6
-
SSDEEP
6144:2wBHhWBLXgF+NnSqHrp4wTNGuw7Rytx98J+p0Mu0FZMxiftlxRmB7wZ5:2eHktX2pqOwWoiAr9dRmhw
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Q8RNYZBCTS.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 4980 svchost.exe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java plug-in = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe" 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 552 set thread context of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4500 reg.exe 1452 reg.exe 1836 reg.exe 4156 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe Token: 1 4980 svchost.exe.exe Token: SeCreateTokenPrivilege 4980 svchost.exe.exe Token: SeAssignPrimaryTokenPrivilege 4980 svchost.exe.exe Token: SeLockMemoryPrivilege 4980 svchost.exe.exe Token: SeIncreaseQuotaPrivilege 4980 svchost.exe.exe Token: SeMachineAccountPrivilege 4980 svchost.exe.exe Token: SeTcbPrivilege 4980 svchost.exe.exe Token: SeSecurityPrivilege 4980 svchost.exe.exe Token: SeTakeOwnershipPrivilege 4980 svchost.exe.exe Token: SeLoadDriverPrivilege 4980 svchost.exe.exe Token: SeSystemProfilePrivilege 4980 svchost.exe.exe Token: SeSystemtimePrivilege 4980 svchost.exe.exe Token: SeProfSingleProcessPrivilege 4980 svchost.exe.exe Token: SeIncBasePriorityPrivilege 4980 svchost.exe.exe Token: SeCreatePagefilePrivilege 4980 svchost.exe.exe Token: SeCreatePermanentPrivilege 4980 svchost.exe.exe Token: SeBackupPrivilege 4980 svchost.exe.exe Token: SeRestorePrivilege 4980 svchost.exe.exe Token: SeShutdownPrivilege 4980 svchost.exe.exe Token: SeDebugPrivilege 4980 svchost.exe.exe Token: SeAuditPrivilege 4980 svchost.exe.exe Token: SeSystemEnvironmentPrivilege 4980 svchost.exe.exe Token: SeChangeNotifyPrivilege 4980 svchost.exe.exe Token: SeRemoteShutdownPrivilege 4980 svchost.exe.exe Token: SeUndockPrivilege 4980 svchost.exe.exe Token: SeSyncAgentPrivilege 4980 svchost.exe.exe Token: SeEnableDelegationPrivilege 4980 svchost.exe.exe Token: SeManageVolumePrivilege 4980 svchost.exe.exe Token: SeImpersonatePrivilege 4980 svchost.exe.exe Token: SeCreateGlobalPrivilege 4980 svchost.exe.exe Token: 31 4980 svchost.exe.exe Token: 32 4980 svchost.exe.exe Token: 33 4980 svchost.exe.exe Token: 34 4980 svchost.exe.exe Token: 35 4980 svchost.exe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4980 svchost.exe.exe 4980 svchost.exe.exe 4980 svchost.exe.exe 4980 svchost.exe.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 552 wrote to memory of 4980 552 31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe 82 PID 4980 wrote to memory of 852 4980 svchost.exe.exe 83 PID 4980 wrote to memory of 852 4980 svchost.exe.exe 83 PID 4980 wrote to memory of 852 4980 svchost.exe.exe 83 PID 4980 wrote to memory of 1004 4980 svchost.exe.exe 84 PID 4980 wrote to memory of 1004 4980 svchost.exe.exe 84 PID 4980 wrote to memory of 1004 4980 svchost.exe.exe 84 PID 4980 wrote to memory of 736 4980 svchost.exe.exe 87 PID 4980 wrote to memory of 736 4980 svchost.exe.exe 87 PID 4980 wrote to memory of 736 4980 svchost.exe.exe 87 PID 4980 wrote to memory of 4356 4980 svchost.exe.exe 88 PID 4980 wrote to memory of 4356 4980 svchost.exe.exe 88 PID 4980 wrote to memory of 4356 4980 svchost.exe.exe 88 PID 852 wrote to memory of 1452 852 cmd.exe 91 PID 852 wrote to memory of 1452 852 cmd.exe 91 PID 852 wrote to memory of 1452 852 cmd.exe 91 PID 736 wrote to memory of 1836 736 cmd.exe 92 PID 736 wrote to memory of 1836 736 cmd.exe 92 PID 736 wrote to memory of 1836 736 cmd.exe 92 PID 1004 wrote to memory of 4156 1004 cmd.exe 93 PID 1004 wrote to memory of 4156 1004 cmd.exe 93 PID 1004 wrote to memory of 4156 1004 cmd.exe 93 PID 4356 wrote to memory of 4500 4356 cmd.exe 94 PID 4356 wrote to memory of 4500 4356 cmd.exe 94 PID 4356 wrote to memory of 4500 4356 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe"C:\Users\Admin\AppData\Local\Temp\31fa8967a1daf46f9a63f6236aae0b5aca847a5738f4adf74e6a70542d2642b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Q8RNYZBCTS.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4500
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0