Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
343s -
max time network
353s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
08/05/2023, 15:45
Errors
General
-
Target
The_Pain_in_3_Days.zip
-
Size
111.0MB
-
MD5
8d5d9caa693c8566ff12e1551b3fac5d
-
SHA1
adcc5ec1cdb330950ff62bbc0b54b87bc7f88e52
-
SHA256
3a951f6f90dbd0bf5ee469f081d7dec99aec8099b9628b3bd14e3a2cec46b287
-
SHA512
387c64769ce78fffc0bba2faf518bf57a3577751e18f89e9d0cf6f4695b6480bd4907534a0557a85e913a9fda102685c56bd797884aefc8bfe3bdd911d3deb20
-
SSDEEP
3145728:K6wYap67pxMgQEVcsmAq8fOTg/6wO5Im6RsMhW3zJTDw:K6wG9xMUctAq3TgSwoImchezJTDw
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 60 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The_Pain_in_3_Days.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4f979758,0x7ffc4f979768,0x7ffc4f9797782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3360 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4576 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5172 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4872 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4596 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5056 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4960 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4888 --field-trial-handle=1832,i,1556551093718909051,312335992176922776,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\winrar-x64-621.exe"C:\Users\Admin\Downloads\winrar-x64-621.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Desktop\The_Pain_in_3_Days.zip" C:\Users\Admin\Desktop\The_Pain_in_3_Days\1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b9855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5e51d9ff73c65b76ccd7cd09aeea99c3c
SHA1d4789310e9b7a4628154f21af9803e88e89e9b1b
SHA2567456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd
SHA51257ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c
-
Filesize
659KB
MD54f190f63e84c68d504ae198d25bf2b09
SHA156a26791df3d241ce96e1bb7dd527f6fecc6e231
SHA2563a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a
SHA512521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291
-
Filesize
437KB
MD56e8353fb55e1606e9488f4fe79249611
SHA18c4a2b33b77eb484a4d5c46545a9fac363b7b6eb
SHA25605a7fac2bca734a21a4ee59bf8d89e26b2cb4b49d4bf2c2430af934ef5126223
SHA51272238bffa29e57993c4e20e97d78933a07e465c8f4560da4a8b9663082aa37524ce3b05b6382f6d74ff94d81c52917c6bed4a6bf464bcbdb6ff89d395ca56165
-
Filesize
437KB
MD56e8353fb55e1606e9488f4fe79249611
SHA18c4a2b33b77eb484a4d5c46545a9fac363b7b6eb
SHA25605a7fac2bca734a21a4ee59bf8d89e26b2cb4b49d4bf2c2430af934ef5126223
SHA51272238bffa29e57993c4e20e97d78933a07e465c8f4560da4a8b9663082aa37524ce3b05b6382f6d74ff94d81c52917c6bed4a6bf464bcbdb6ff89d395ca56165
-
Filesize
103KB
MD54c88a040b31c4d144b44b0dc68fb2cc8
SHA1bf473f5a5d3d8be6e5870a398212450580f8b37b
SHA2566f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8
SHA512e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8
-
Filesize
317KB
MD5381eae01a2241b8a4738b3c64649fbc0
SHA1cc5944fde68ed622ebee2da9412534e5a44a7c9a
SHA256ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e
SHA512f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88
-
Filesize
2.4MB
MD5d52aa2e22af1908bfa94b95e54165df5
SHA1904ecca84a49ddedb28c40e2f0b8574dfadea8e9
SHA25670a787b94dc04e63e6d779f66780da7e35b2d1b0f4007dc4c8f6792b3f3e7879
SHA5128374f4e9b57dca3729b2b295dc9ebe38efa7515edcee5aaf958c1698cb083d99d2c4f97a3bfc3b45222db4f59fccf23f99163c87e1ccb6f591e75151451a1324
-
Filesize
2.4MB
MD5d52aa2e22af1908bfa94b95e54165df5
SHA1904ecca84a49ddedb28c40e2f0b8574dfadea8e9
SHA25670a787b94dc04e63e6d779f66780da7e35b2d1b0f4007dc4c8f6792b3f3e7879
SHA5128374f4e9b57dca3729b2b295dc9ebe38efa7515edcee5aaf958c1698cb083d99d2c4f97a3bfc3b45222db4f59fccf23f99163c87e1ccb6f591e75151451a1324
-
Filesize
437KB
MD56e8353fb55e1606e9488f4fe79249611
SHA18c4a2b33b77eb484a4d5c46545a9fac363b7b6eb
SHA25605a7fac2bca734a21a4ee59bf8d89e26b2cb4b49d4bf2c2430af934ef5126223
SHA51272238bffa29e57993c4e20e97d78933a07e465c8f4560da4a8b9663082aa37524ce3b05b6382f6d74ff94d81c52917c6bed4a6bf464bcbdb6ff89d395ca56165
-
Filesize
120B
MD5438e501b4c7df6af2336bf2bfd928d69
SHA1eda2a77cf6ce745827b309d4f42b6643544b1406
SHA256d7a97c55f3dfb42e06b3c3a385e5a57dc4e35f47e89011e94efed5b2dedacf18
SHA5129c209a0f32c9cc15f2e9aa1d6654628e4ba3d62cc4d933b334e82f88fcfff21acbf53acfcc0f03ed861227315e8bd9160d69ca76c413ad0068aba65bb8b3732b
-
Filesize
1KB
MD5497f175e01d5f222204ff5d23171b86b
SHA1105f27e9c8719fce1bbb3ccbd119b89634ec8b71
SHA2563c4b0e8e25c11d206826f7e9b05014b7c114aaa52de6bf000a0b8209717c348b
SHA512ef93a670c64a6b01199fa80c6987a9083eeb18037ed32d0f1d9ed012747ca5224d61abad2b74fe651580c33988297f7a17208a30cdeadc29a3a0b4281b0f6d53
-
Filesize
1KB
MD5999587603a368d7ffd82a40cb88001f2
SHA1655d14b71613a80d8517a5992584e5e63fad06f9
SHA25693fda84c03cb9bbb080d7c9e728917d7ad59cd0b9e98e22801c9bfeea1072f75
SHA51256decf9c4932df2da22f4a2b27a33e9d6abfa167a1b71b022059717831d3c66daeaa948370074123eeafbe883619bfe56cc7837a591edc353304ea499e51c11b
-
Filesize
6KB
MD5710274718f4690b512b3a73548603bc2
SHA169ae7d84a1624b2bbe78e97bc30ce534ef1f40b6
SHA256714282ef1659bbb530bad6e242cd60410d2d6f1a58cd60ec2ba612b0afbad21f
SHA5127c1cbf338924cca65afdd048010efc34f567d092b6c6805d71a2109a376cd8dc965aae55884db1ced4b0dbda5fb44f1c7e2572ba249b3f2b4bc3839afd543478
-
Filesize
5KB
MD5f41853c646d10b5783d040a97464be13
SHA17bfc528e50f097b808f3714ec226a18d39ce77e5
SHA25678c149dce293ee1933d584068090e267d90da3e9028365e72d130ec7324f5f3f
SHA5125a1d3cc7698cf4e4fbd4f4555c4319d3a4a93e884c5d42d0cf3b22dbf35563a3f47ee0b5b32f41105f1c8facafaa28d6feb11690b0199168b9105197fbca1513
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
149KB
MD5a92ad36c130bf45d81fa6b59745704ea
SHA142a978cea7b8873700ff4b7b2b2ca7f8058ec0c7
SHA2563727d95bac822c2f67997e4df981f57deaf46df6fe9415687661b8c9fd3b8524
SHA5129f5b7ab899a92b3f7cb3b44b85cfd2e78d83e0333ee1bb6aa001643e3032d5fde6ca741c83f34a116d0e4cd9366e10bb88c9dbf4bee71889e2cb10fdfce7fb0f
-
Filesize
149KB
MD5dd5205efca62b57dbea85aa0bd651bc0
SHA1232eae4165c52711b77699d65aae52161699e17d
SHA256bf60fd68d690bcde5a26a87b78f561e634fd69c9711e6937b8cd1c0ff891f15e
SHA51273506267be127fbbb33ec479b01d889d79e00fc18e30331ab31aad46f281fe51afbf4058f380be5dfebaf4629cba8b0905ab65308f9e523c7320421b37958101
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
3.4MB
MD59a548d975892206bfc4b79a41b4c3d64
SHA122a382c4baf45f26f5af15f35d7a1bb9a9b1a109
SHA256af51d8714fbb34157e3bd53fcecdd76bcc0ed732f89cf469f544aec968d192d9
SHA51242f4bcbff08f08dd45097b9ac07444bb3e157d6e9055c307de3f1cf86b62900e9cdf5931cee305e0bb0991a6f5ef060196cc42a29b8fc7d233032036a42b1494
-
Filesize
3.4MB
MD59a548d975892206bfc4b79a41b4c3d64
SHA122a382c4baf45f26f5af15f35d7a1bb9a9b1a109
SHA256af51d8714fbb34157e3bd53fcecdd76bcc0ed732f89cf469f544aec968d192d9
SHA51242f4bcbff08f08dd45097b9ac07444bb3e157d6e9055c307de3f1cf86b62900e9cdf5931cee305e0bb0991a6f5ef060196cc42a29b8fc7d233032036a42b1494
-
Filesize
3.4MB
MD59a548d975892206bfc4b79a41b4c3d64
SHA122a382c4baf45f26f5af15f35d7a1bb9a9b1a109
SHA256af51d8714fbb34157e3bd53fcecdd76bcc0ed732f89cf469f544aec968d192d9
SHA51242f4bcbff08f08dd45097b9ac07444bb3e157d6e9055c307de3f1cf86b62900e9cdf5931cee305e0bb0991a6f5ef060196cc42a29b8fc7d233032036a42b1494