Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2023, 04:40
Static task
static1
Behavioral task
behavioral1
Sample
Google Chrome.exe
Resource
win10v2004-20230221-en
General
-
Target
Google Chrome.exe
-
Size
4.3MB
-
MD5
40e913e960fab34fd7532d583dcce3b4
-
SHA1
c86950a5190c9576754734945f64d61724ad3e8b
-
SHA256
e7d16815ce3d770f141aee8385aa40f06182decc9cc4f586996f26c71c394b96
-
SHA512
17c49bfa33522c3475fb74f4bb0be9906d35ae55dd4b35d98ddcb876a1be09f7fd48a57de1beee6805e4b0f8b18db59ab421a132b6cbc830c5be8bdb75153d0d
-
SSDEEP
98304:Z3UnKnPlyiowsuJhVclogf4qtHbxWKmEQ0BWHeSf1D:ZEnwPlBopuJh21JmdQ09D
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4568 Google Chrome.exe 3652 Google Chrome.exe -
Loads dropped DLL 2 IoCs
pid Process 3652 Google Chrome.exe 3652 Google Chrome.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RPCRT4.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\win32u.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\uxtheme.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\combase.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\imagehlp.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\version.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\PROPSYS.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\MSCTF.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\KERNEL32.DLL Google Chrome.exe File opened for modification C:\Windows\SysWOW64\USER32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\SHLWAPI.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\wsock32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\kernel.appcore.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\profapi.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\gdi32full.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\ws2_32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\opengl32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\KERNELBASE.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\apphelp.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\GDI32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\oleaut32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\msimg32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\imm32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\hhctrl.ocx Google Chrome.exe File opened for modification C:\Windows\SysWOW64\windows.storage.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\ntdll.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\advapi32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\msvcrt.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\shcore.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\clbcatq.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\shfolder.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\Wldp.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\psapi.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\sechost.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\comdlg32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\SHELL32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\ole32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\GLU32.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\bcryptPrimitives.dll Google Chrome.exe File opened for modification C:\Windows\SysWOW64\explorerframe.dll Google Chrome.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll Google Chrome.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe 3652 Google Chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4128 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 3652 Google Chrome.exe Token: SeLoadDriverPrivilege 3652 Google Chrome.exe Token: SeCreateGlobalPrivilege 3652 Google Chrome.exe Token: 33 3652 Google Chrome.exe Token: SeSecurityPrivilege 3652 Google Chrome.exe Token: SeTakeOwnershipPrivilege 3652 Google Chrome.exe Token: SeManageVolumePrivilege 3652 Google Chrome.exe Token: SeBackupPrivilege 3652 Google Chrome.exe Token: SeCreatePagefilePrivilege 3652 Google Chrome.exe Token: SeShutdownPrivilege 3652 Google Chrome.exe Token: SeRestorePrivilege 3652 Google Chrome.exe Token: 33 3652 Google Chrome.exe Token: SeIncBasePriorityPrivilege 3652 Google Chrome.exe Token: SeDebugPrivilege 4128 taskmgr.exe Token: SeSystemProfilePrivilege 4128 taskmgr.exe Token: SeCreateGlobalPrivilege 4128 taskmgr.exe Token: 33 4128 taskmgr.exe Token: SeIncBasePriorityPrivilege 4128 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 3652 Google Chrome.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe 4128 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4568 4300 Google Chrome.exe 86 PID 4300 wrote to memory of 4568 4300 Google Chrome.exe 86 PID 4300 wrote to memory of 4568 4300 Google Chrome.exe 86 PID 4568 wrote to memory of 3652 4568 Google Chrome.exe 87 PID 4568 wrote to memory of 3652 4568 Google Chrome.exe 87 PID 4568 wrote to memory of 3652 4568 Google Chrome.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\Google Chrome.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\Google Chrome.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\Google Chrome.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\Google Chrome.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3652
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5fd0b128791ae1feeeed465e9b22702b6
SHA157664986fe0dc316481d0e0a98ca2c1e1afa6f19
SHA256ef894ae5060c4206b017e688bb0f83580d2ff1d5c254207736cfbf939aec935c
SHA5128178e20977f77010fc68eb5be9288a262bc5034335b15bc3cb8a5cc9a683a292bbd13a541c4e06f61cb5a14c8a7302b28dfe25b0cf6928839c84fda87bc18451
-
Filesize
196KB
MD5808de473370ef6b5d98ab752f245a3ca
SHA1800bd4ad10c17471829693fac3cee4502b14f029
SHA25665cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39
SHA512fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c
-
Filesize
196KB
MD5808de473370ef6b5d98ab752f245a3ca
SHA1800bd4ad10c17471829693fac3cee4502b14f029
SHA25665cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39
SHA512fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c
-
Filesize
443KB
MD5a3a94bc1008c5d194dd72b4ea8792a4f
SHA11ce3be16c30de9c0275da6a8b7a07e5ed8fa52e1
SHA256769eb7b11c02611d545b5a4ec09f50f4a6eb00e42bb818672a13a2c9c7634c98
SHA512315f93356c990df4eb1d3dc455e09f1aeecec9823b3c80b4b5617275c510f5372d98291f4bba973c4e5ada98bd3761656bb06a9a182f5ea91ff52026775c2bd3
-
Filesize
7.4MB
MD5052f561d15254e91bc505d5066f4f16c
SHA14166aebecfcf1f20922ae2b7dd45bebfd145d6d2
SHA25698269f89557e11c629155a2e29235fce7d1b25baa78a2a475ad1a27e626e75a6
SHA51263a5b30d3a6f817083ebfb49245502954679688552d531cdd65b21ed02e10edc38e59b5f01c0fc30340e5527a1f5918c20994eceac1a1d3bb86cc5c07aa16d61
-
Filesize
7.4MB
MD5052f561d15254e91bc505d5066f4f16c
SHA14166aebecfcf1f20922ae2b7dd45bebfd145d6d2
SHA25698269f89557e11c629155a2e29235fce7d1b25baa78a2a475ad1a27e626e75a6
SHA51263a5b30d3a6f817083ebfb49245502954679688552d531cdd65b21ed02e10edc38e59b5f01c0fc30340e5527a1f5918c20994eceac1a1d3bb86cc5c07aa16d61
-
Filesize
5KB
MD5d8f9b4a10a48ebd8936255f6215c8a43
SHA17d8ff0012fa9d9dcf189c6df963f1c627f2ccb76
SHA256d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2
SHA51267db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a
-
Filesize
329KB
MD52730ff589ae86ef10d94952769f9404f
SHA18010834297a6aa488e6bf90eceaaf9e60bb60c6e
SHA256faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b
SHA5125fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0
-
Filesize
329KB
MD52730ff589ae86ef10d94952769f9404f
SHA18010834297a6aa488e6bf90eceaaf9e60bb60c6e
SHA256faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b
SHA5125fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0
-
Filesize
1.2MB
MD59139604740814e53298a5e8428ba29d7
SHA1c7bf8947e9276a311c4807ea4a57b504f95703c9
SHA256150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f
SHA5120b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d
-
Filesize
1.2MB
MD59139604740814e53298a5e8428ba29d7
SHA1c7bf8947e9276a311c4807ea4a57b504f95703c9
SHA256150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f
SHA5120b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d