Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
26/12/2022, 02:17
221226-cq1taafe7t 826/12/2022, 01:37
221226-b16lvafe6s 826/12/2022, 01:34
221226-by65lacd25 825/12/2022, 04:48
221225-fff8nsbb39 10Analysis
-
max time kernel
282s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2022, 01:34
Static task
static1
Behavioral task
behavioral1
Sample
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
Resource
win10v2004-20220812-en
General
-
Target
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
-
Size
1.6MB
-
MD5
5015b3096f5bf7039c82684c2d88bf2c
-
SHA1
24aada32e2ac068d737866b6561e64a20f10f65e
-
SHA256
97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12
-
SHA512
808031a37f169702a6e495bbd7597a8a2dd6c7e0d9690d35b4b822aff59987db5674bea0a2da042343313463860f8ef987276a8f92fc670b541e091c99f5045b
-
SSDEEP
49152:g2LdRphDBhCTGFMWDumigm0pCiO5BAD70TfhxWYAhiISV:g2JRphjZM2UCGrIm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2580 Engine.exe 1120 Participant.exe.pif -
resource yara_rule behavioral2/files/0x0002000000021b42-133.dat upx behavioral2/files/0x0002000000021b42-134.dat upx behavioral2/memory/2580-136-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/2580-161-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/2580-162-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1120 set thread context of 3808 1120 Participant.exe.pif 102 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{6656EB60-639D-4F69-9601-08B9548FA9DA} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{FD90536F-9BDC-4F06-9866-231C88B345F0} svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1548 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1544 powershell.exe 1544 powershell.exe 1544 powershell.exe 2060 powershell.exe 2060 powershell.exe 2060 powershell.exe 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 3808 jsc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1120 Participant.exe.pif 1120 Participant.exe.pif 1120 Participant.exe.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4884 OpenWith.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2580 2352 97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe 81 PID 2352 wrote to memory of 2580 2352 97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe 81 PID 2352 wrote to memory of 2580 2352 97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe 81 PID 2580 wrote to memory of 2972 2580 Engine.exe 82 PID 2580 wrote to memory of 2972 2580 Engine.exe 82 PID 2580 wrote to memory of 2972 2580 Engine.exe 82 PID 2972 wrote to memory of 5108 2972 cmd.exe 85 PID 2972 wrote to memory of 5108 2972 cmd.exe 85 PID 2972 wrote to memory of 5108 2972 cmd.exe 85 PID 5108 wrote to memory of 1544 5108 cmd.exe 89 PID 5108 wrote to memory of 1544 5108 cmd.exe 89 PID 5108 wrote to memory of 1544 5108 cmd.exe 89 PID 5108 wrote to memory of 2060 5108 cmd.exe 93 PID 5108 wrote to memory of 2060 5108 cmd.exe 93 PID 5108 wrote to memory of 2060 5108 cmd.exe 93 PID 5108 wrote to memory of 3252 5108 cmd.exe 94 PID 5108 wrote to memory of 3252 5108 cmd.exe 94 PID 5108 wrote to memory of 3252 5108 cmd.exe 94 PID 5108 wrote to memory of 1120 5108 cmd.exe 95 PID 5108 wrote to memory of 1120 5108 cmd.exe 95 PID 5108 wrote to memory of 1120 5108 cmd.exe 95 PID 5108 wrote to memory of 1548 5108 cmd.exe 96 PID 5108 wrote to memory of 1548 5108 cmd.exe 96 PID 5108 wrote to memory of 1548 5108 cmd.exe 96 PID 1120 wrote to memory of 3808 1120 Participant.exe.pif 102 PID 1120 wrote to memory of 3808 1120 Participant.exe.pif 102 PID 1120 wrote to memory of 3808 1120 Participant.exe.pif 102 PID 1120 wrote to memory of 3808 1120 Participant.exe.pif 102 PID 1120 wrote to memory of 3808 1120 Participant.exe.pif 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_26755\Engine.exe /TH_ID=_4216 /OriginExe="C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd < 53⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^4172427212736811499564357707315395374551589040599087952093583091844164705808632821$" 35⤵PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\njv3bvgd.5b1\21493\Participant.exe.pif21493\\Participant.exe.pif 21493\\P5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 85⤵
- Runs ping.exe
PID:1548
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
PID:2480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
18KB
MD5fba244702b72a5ec28bc5e912863d3ed
SHA1109d5c97a782999b6dce8013b1c880c9e273d04c
SHA256f121d9e1c956c3f0b3b5146c2f8cf09797fcd0180928ce6b11c821da8717b67d
SHA512be6dd81faccc94208f610bbaca198f4e16d348fc0d7b7331c6e8edeb5e0bedbceabb333595613b7e893cbfa51fe9ed9f49fa39be18e416612b463baa3d802f98
-
Filesize
872KB
MD59cd9369d3dc8824248464570a212e564
SHA1a9880b7367c0c1e7a560fd9bc68c7561847d65d8
SHA256cd1408c1e426684ffbe76ff868ed7e9cf0a56617dc2817243c9314653b1c3cdf
SHA51264bf6265cde11d0f4ab36a6178b5aa2239468871f7b02513b7b9aa9721e8e217e87316e21acc951ea2c99bb194bb6f278ccef98fe127cb65407f85d150c71eca
-
Filesize
12KB
MD5766ec43b82895b93ac97641978856551
SHA1af4184b1ea5a2314773cbb85aa6bc9c21f41aa87
SHA25663e7a1799d65555bf0fef6b3b7ffe388657f8010d17f6ec73a16d8804ae75d34
SHA512597bd5019d92d616b8e86d246770e9b6dfa40cf2d3c70144f9efe9bbacd50950623bbb167b1dc54b5198e917a128839ca93edc9019ab5f1042649c4a13e44611
-
Filesize
1.5MB
MD5268a482ed5ef9f3209bec71d291a19e7
SHA111e94a6f5360dabcd60a2329b86ec28c2e8ca38c
SHA2561921ce205f4ef1a01a0c5dd326499dc26d3f9588888c97d59aa42917ba053bed
SHA5129d43663903c23777b5e7408b73fea94885f07019a9cecc95b43641fb2712e1187d0bdef8bc5323667535f3f6c77ae8b587d6c6baa09a2b05ab420b2501455beb
-
Filesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
Filesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
Filesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
Filesize
2KB
MD5cae83309280eb1febee041b70be024fd
SHA1c3a773b4c1430dcbabcc7687a98aaccf12710443
SHA256a3e3ef834ab038542f3ba5bfbae89d63bb147c270663ecbb0420b1a68e1d7255
SHA512e1bdcf17fd22f55c66e4fc99b202cdc27d6135308158739cdcca519d5a1b3ae28e3c4d1a018b47d600410b91b779d468b113ad8e9fd583e589567abf141b3949
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c