Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2023, 16:16
Static task
static1
Behavioral task
behavioral1
Sample
decoded.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
decoded.exe
Resource
win10v2004-20220812-en
General
-
Target
decoded.exe
-
Size
1.3MB
-
MD5
2d48214132e5c4d808740e71ec5f6a7f
-
SHA1
f3c7534d9f139782006b5656ec0d229d8d9d356e
-
SHA256
c1fadb8e09ba1257f7656be5a1c8d44e2a0da8697e8e0a32485714949a6c29ca
-
SHA512
71b38bc31ecd199d3408e831c0cda0b0fbce6b363d5da3500767ff2a9a02fc0b3990512085d8d44e25b50e87eceaf4527e58d9c3e0a0802efbc3164af94a77a2
-
SSDEEP
24576:LMmDOoI0Acd30rkQS8nikHN+KNzPKqQRD2F2PcAFdiqP1t/qiSlJjKGY:LMelI0AA0rkQznikHnNyn62PVFLtiiSO
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3984 created 2576 3984 Milf.exe.pif 27 -
Executes dropped EXE 1 IoCs
pid Process 3984 Milf.exe.pif -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YHgsKCxQSK.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YHgsKCxQSK.url cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce decoded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" decoded.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3984 set thread context of 2580 3984 Milf.exe.pif 101 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3500 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 876 powershell.exe 876 powershell.exe 876 powershell.exe 3096 powershell.exe 3096 powershell.exe 3096 powershell.exe 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 2580 jsc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3984 Milf.exe.pif 3984 Milf.exe.pif 3984 Milf.exe.pif -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3968 2752 decoded.exe 81 PID 2752 wrote to memory of 3968 2752 decoded.exe 81 PID 2752 wrote to memory of 3968 2752 decoded.exe 81 PID 2752 wrote to memory of 4656 2752 decoded.exe 83 PID 2752 wrote to memory of 4656 2752 decoded.exe 83 PID 2752 wrote to memory of 4656 2752 decoded.exe 83 PID 4656 wrote to memory of 4812 4656 cmd.exe 85 PID 4656 wrote to memory of 4812 4656 cmd.exe 85 PID 4656 wrote to memory of 4812 4656 cmd.exe 85 PID 4812 wrote to memory of 876 4812 cmd.exe 86 PID 4812 wrote to memory of 876 4812 cmd.exe 86 PID 4812 wrote to memory of 876 4812 cmd.exe 86 PID 4812 wrote to memory of 3096 4812 cmd.exe 87 PID 4812 wrote to memory of 3096 4812 cmd.exe 87 PID 4812 wrote to memory of 3096 4812 cmd.exe 87 PID 4812 wrote to memory of 1244 4812 cmd.exe 88 PID 4812 wrote to memory of 1244 4812 cmd.exe 88 PID 4812 wrote to memory of 1244 4812 cmd.exe 88 PID 4812 wrote to memory of 4304 4812 cmd.exe 89 PID 4812 wrote to memory of 4304 4812 cmd.exe 89 PID 4812 wrote to memory of 4304 4812 cmd.exe 89 PID 4812 wrote to memory of 3984 4812 cmd.exe 90 PID 4812 wrote to memory of 3984 4812 cmd.exe 90 PID 4812 wrote to memory of 3984 4812 cmd.exe 90 PID 4812 wrote to memory of 3500 4812 cmd.exe 93 PID 4812 wrote to memory of 3500 4812 cmd.exe 93 PID 4812 wrote to memory of 3500 4812 cmd.exe 93 PID 3984 wrote to memory of 316 3984 Milf.exe.pif 94 PID 3984 wrote to memory of 316 3984 Milf.exe.pif 94 PID 3984 wrote to memory of 316 3984 Milf.exe.pif 94 PID 3984 wrote to memory of 2580 3984 Milf.exe.pif 101 PID 3984 wrote to memory of 2580 3984 Milf.exe.pif 101 PID 3984 wrote to memory of 2580 3984 Milf.exe.pif 101 PID 3984 wrote to memory of 2580 3984 Milf.exe.pif 101 PID 3984 wrote to memory of 2580 3984 Milf.exe.pif 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\decoded.exe"C:\Users\Admin\AppData\Local\Temp\decoded.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\nslookup.exenslookup ashfdjkhgwiueghfruihwjkefwe3⤵PID:3968
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < 23⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode 86 86YEO5⤵PID:1244
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmSFyMxWuKGRJDopFhZDrhRDHAYtAoQHDCIZfrnmkrkibbwxQlV$" 86YEO5⤵PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9780\Milf.exe.pif9780\\Milf.exe.pif 9780\\d5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 85⤵
- Runs ping.exe
PID:3500
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YHgsKCxQSK.url" & echo URL="C:\Users\Admin\AppData\Local\MYSMWZEvHY\VPbsOvHZF.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YHgsKCxQSK.url"2⤵
- Drops startup file
PID:316
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
18KB
MD5708511c46bcb778e89b204cb40403a17
SHA1456294d0b869be8c77546e9de5a7dfe0253c0dc0
SHA256b01b3dc94d2f7c4056c2b865798fb71f5fc1e91060719f739f0339adf3342cb4
SHA512e8fe358ffdf46c179b8443f9756053c84fe99dad0156ff26b036e109c5bf9df139a1bf29ebe7a577216b30b6b2e900175be1412fbed4a766841e62c46682a810
-
Filesize
11KB
MD5cf13b620804b451200c2fc35d0955c1e
SHA10b9034ce408d6bdfc2d12a5f957361df1494b564
SHA256968a4e2af5aa8c0ab95e65c08eb5a5ea03d921c9220def24675a676ff3f9fe76
SHA512a4c73efd6ff723b9067c95258f02ee0570cf076a1d992456bfdccdd064e1771dde530d0dd046d2dad6185cb08eb4d641484f75b94b04f0dfd384bdd60fd22f26
-
Filesize
1.9MB
MD5fa191eedf1fd23465aea012c60dd159f
SHA1230d11121b16f1d38f31a2867c214bef83da6f22
SHA25694e500c66add5eb1ee91b8de448668a7c7d26021104c9bec2c156c8dbbc9a440
SHA512bee65d47a8ee4311d016dd85e3fc45d28d4133da18a15430388067b4457e542b3790344e7b9e38672c191832b56550ec0e676b5e047f8ff9ac1b9e0f339d342d
-
Filesize
1.2MB
MD53c775f771bf21af3a95b519b87d3a055
SHA1796a926397a7024348db5c8790acfb69cca68227
SHA25666404d8f396ba4198e14b73cea09b36567d55d93c683965e13e2f9765f0f1b6c
SHA51220a2ff99e8c676a3c3ec9fdfb26a000fda8aeb36373380f764e6fe8f428f7dce42cea9dd2b66fa9e0a84c01f13c224f53f147cc420d1de3d1fc0539a670ca253
-
Filesize
872KB
MD50d398b7bfb54c5e22d8b42e8545837d7
SHA1c065aed432508df9bacf121e7f0ed9bc0ebcce62
SHA256a80a0a728e5451c54543c9527b12e0f8938e6fa72c3ef34ac6044fdec39d505e
SHA5128a9038fb3f563abd69c628bcc32211550afde710be390131f5ac4fe8d59d58e9794d0562b60fe0e13fc1bc01d4c256867035d362f24bcd52b6834c874fefd4c7
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c