Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
26/12/2022, 02:17
221226-cq1taafe7t 826/12/2022, 01:37
221226-b16lvafe6s 826/12/2022, 01:34
221226-by65lacd25 825/12/2022, 04:48
221225-fff8nsbb39 10Analysis
-
max time kernel
144s -
max time network
280s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
25/12/2022, 04:48
Static task
static1
Behavioral task
behavioral1
Sample
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
Resource
win7-20221111-en
General
-
Target
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
-
Size
1.6MB
-
MD5
5015b3096f5bf7039c82684c2d88bf2c
-
SHA1
24aada32e2ac068d737866b6561e64a20f10f65e
-
SHA256
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12
-
SHA512
808031a37f169702a6e495bbd7597a8a2dd6c7e0d9690d35b4b822aff59987db5674bea0a2da042343313463860f8ef987276a8f92fc670b541e091c99f5045b
-
SSDEEP
49152:g2LdRphDBhCTGFMWDumigm0pCiO5BAD70TfhxWYAhiISV:g2JRphjZM2UCGrIm
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsc.exe -
Executes dropped EXE 2 IoCs
pid Process 2344 Engine.exe 2884 Participant.exe.pif -
resource yara_rule behavioral2/files/0x000b00000001abda-157.dat upx behavioral2/files/0x000b00000001abda-165.dat upx behavioral2/memory/2344-173-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/2344-339-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/2344-526-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini bcastdvr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2884 set thread context of 4284 2884 Participant.exe.pif 79 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 GamePanel.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags GamePanel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 GamePanel.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags GamePanel.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4036 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4752 powershell.exe 4752 powershell.exe 4752 powershell.exe 4752 powershell.exe 1876 powershell.exe 1876 powershell.exe 1876 powershell.exe 1876 powershell.exe 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 4284 jsc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2884 Participant.exe.pif 2884 Participant.exe.pif 2884 Participant.exe.pif -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2344 1940 97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe 67 PID 1940 wrote to memory of 2344 1940 97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe 67 PID 1940 wrote to memory of 2344 1940 97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe 67 PID 2344 wrote to memory of 768 2344 Engine.exe 68 PID 2344 wrote to memory of 768 2344 Engine.exe 68 PID 2344 wrote to memory of 768 2344 Engine.exe 68 PID 768 wrote to memory of 4712 768 cmd.exe 72 PID 768 wrote to memory of 4712 768 cmd.exe 72 PID 768 wrote to memory of 4712 768 cmd.exe 72 PID 4712 wrote to memory of 4752 4712 cmd.exe 74 PID 4712 wrote to memory of 4752 4712 cmd.exe 74 PID 4712 wrote to memory of 4752 4712 cmd.exe 74 PID 4712 wrote to memory of 1876 4712 cmd.exe 75 PID 4712 wrote to memory of 1876 4712 cmd.exe 75 PID 4712 wrote to memory of 1876 4712 cmd.exe 75 PID 4712 wrote to memory of 1452 4712 cmd.exe 76 PID 4712 wrote to memory of 1452 4712 cmd.exe 76 PID 4712 wrote to memory of 1452 4712 cmd.exe 76 PID 4712 wrote to memory of 2884 4712 cmd.exe 77 PID 4712 wrote to memory of 2884 4712 cmd.exe 77 PID 4712 wrote to memory of 2884 4712 cmd.exe 77 PID 4712 wrote to memory of 4036 4712 cmd.exe 78 PID 4712 wrote to memory of 4036 4712 cmd.exe 78 PID 4712 wrote to memory of 4036 4712 cmd.exe 78 PID 2884 wrote to memory of 4284 2884 Participant.exe.pif 79 PID 2884 wrote to memory of 4284 2884 Participant.exe.pif 79 PID 2884 wrote to memory of 4284 2884 Participant.exe.pif 79 PID 2884 wrote to memory of 4284 2884 Participant.exe.pif 79 PID 2884 wrote to memory of 4284 2884 Participant.exe.pif 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\SETUP_36684\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_36684\Engine.exe /TH_ID=_4112 /OriginExe="C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd < 53⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^4172427212736811499564357707315395374551589040599087952093583091844164705808632821$" 35⤵PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\njv3bvgd.5b1\27837\Participant.exe.pif27837\\Participant.exe.pif 27837\\P5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe6⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 85⤵
- Runs ping.exe
PID:4036
-
-
-
-
-
C:\Windows\System32\GamePanel.exe"C:\Windows\System32\GamePanel.exe" 000000000008011C /startuptips1⤵
- Checks SCSI registry key(s)
PID:3700
-
C:\Windows\System32\bcastdvr.exe"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer1⤵
- Drops desktop.ini file(s)
PID:3212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
Filesize
18KB
MD5733951471321e461dcf0f4b51e4ffec3
SHA1150830ae9cf347a05d5d0bc75920d8b9f9a57900
SHA256ebc53d1ee3d9cc8cb89ff3090c1cc8e213b6caae02f04c3ae127595ecb59fe7f
SHA512f9b6d37f307d8369898a803382b42e52cab4ccd839e10f323adbc38e1b980d7b2aff5ddf63f2375de68010cf5a21ad6a79183202946f8aaa91c51d7da5c42710
-
Filesize
872KB
MD59cd9369d3dc8824248464570a212e564
SHA1a9880b7367c0c1e7a560fd9bc68c7561847d65d8
SHA256cd1408c1e426684ffbe76ff868ed7e9cf0a56617dc2817243c9314653b1c3cdf
SHA51264bf6265cde11d0f4ab36a6178b5aa2239468871f7b02513b7b9aa9721e8e217e87316e21acc951ea2c99bb194bb6f278ccef98fe127cb65407f85d150c71eca
-
Filesize
12KB
MD5766ec43b82895b93ac97641978856551
SHA1af4184b1ea5a2314773cbb85aa6bc9c21f41aa87
SHA25663e7a1799d65555bf0fef6b3b7ffe388657f8010d17f6ec73a16d8804ae75d34
SHA512597bd5019d92d616b8e86d246770e9b6dfa40cf2d3c70144f9efe9bbacd50950623bbb167b1dc54b5198e917a128839ca93edc9019ab5f1042649c4a13e44611
-
Filesize
1.5MB
MD5268a482ed5ef9f3209bec71d291a19e7
SHA111e94a6f5360dabcd60a2329b86ec28c2e8ca38c
SHA2561921ce205f4ef1a01a0c5dd326499dc26d3f9588888c97d59aa42917ba053bed
SHA5129d43663903c23777b5e7408b73fea94885f07019a9cecc95b43641fb2712e1187d0bdef8bc5323667535f3f6c77ae8b587d6c6baa09a2b05ab420b2501455beb
-
Filesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
Filesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
Filesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
Filesize
2KB
MD5cae83309280eb1febee041b70be024fd
SHA1c3a773b4c1430dcbabcc7687a98aaccf12710443
SHA256a3e3ef834ab038542f3ba5bfbae89d63bb147c270663ecbb0420b1a68e1d7255
SHA512e1bdcf17fd22f55c66e4fc99b202cdc27d6135308158739cdcca519d5a1b3ae28e3c4d1a018b47d600410b91b779d468b113ad8e9fd583e589567abf141b3949
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c