Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2023, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
410KB
-
MD5
e80264156b7c26f7495709faa23ffdb7
-
SHA1
5d497c936ee71cc18125793bba524e4832a10789
-
SHA256
aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9
-
SHA512
697c7d64c1b8f07cede094aa6ace876dd9d3eac3c634036764eb464196e8a41ce3d93ff878d9e6b2cb0a5ea35a93aa123f75463f1571b38acd7e53ee1e4c5ec8
-
SSDEEP
12288:9+cpD7KsRbSQ82gxVB5mSNDtdLCXZC/QuQ/g+LjQRohyqBoHCK0iOEfoh4c3QCNo:HpD0b
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 4836 created 660 4836 830546.exe 49 PID 4836 created 660 4836 830546.exe 49 PID 4836 created 660 4836 830546.exe 49 PID 4836 created 660 4836 830546.exe 49 PID 4836 created 660 4836 830546.exe 49 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts 830546.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation file.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk file.exe -
Executes dropped EXE 1 IoCs
pid Process 4836 830546.exe -
Loads dropped DLL 3 IoCs
pid Process 4964 file.exe 4964 file.exe 4964 file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4836 set thread context of 1168 4836 830546.exe 96 -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1364 sc.exe 1372 sc.exe 3784 sc.exe 1636 sc.exe 1748 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier file.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4964 file.exe 4836 830546.exe 4836 830546.exe 4668 powershell.exe 4668 powershell.exe 4836 830546.exe 4836 830546.exe 4836 830546.exe 4836 830546.exe 4836 830546.exe 4836 830546.exe 4836 830546.exe 4836 830546.exe 1168 dialer.exe 1168 dialer.exe 3536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4964 file.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeDebugPrivilege 1168 dialer.exe Token: SeShutdownPrivilege 4276 powercfg.exe Token: SeCreatePagefilePrivilege 4276 powercfg.exe Token: SeShutdownPrivilege 2488 powercfg.exe Token: SeCreatePagefilePrivilege 2488 powercfg.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeShutdownPrivilege 1800 powercfg.exe Token: SeCreatePagefilePrivilege 1800 powercfg.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4836 4964 file.exe 84 PID 4964 wrote to memory of 4836 4964 file.exe 84 PID 3108 wrote to memory of 1364 3108 cmd.exe 89 PID 3108 wrote to memory of 1364 3108 cmd.exe 89 PID 3108 wrote to memory of 1372 3108 cmd.exe 90 PID 3108 wrote to memory of 1372 3108 cmd.exe 90 PID 3108 wrote to memory of 3784 3108 cmd.exe 91 PID 3108 wrote to memory of 3784 3108 cmd.exe 91 PID 3108 wrote to memory of 1636 3108 cmd.exe 92 PID 3108 wrote to memory of 1636 3108 cmd.exe 92 PID 3108 wrote to memory of 1748 3108 cmd.exe 93 PID 3108 wrote to memory of 1748 3108 cmd.exe 93 PID 4836 wrote to memory of 1168 4836 830546.exe 96 PID 3648 wrote to memory of 4276 3648 cmd.exe 99 PID 3648 wrote to memory of 4276 3648 cmd.exe 99 PID 3648 wrote to memory of 2488 3648 cmd.exe 100 PID 3648 wrote to memory of 2488 3648 cmd.exe 100 PID 3648 wrote to memory of 1800 3648 cmd.exe 101 PID 3648 wrote to memory of 1800 3648 cmd.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\830546.exe"C:\Users\Admin\AppData\Local\830546.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836
-
-
C:\Users\Admin\AppData\Local\804548.exe"C:\Users\Admin\AppData\Local\804548.exe"3⤵PID:3680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1364
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1372
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3784
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1636
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1748
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3324
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qlgljmw#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50de1fdfdd47e717da35f524f6fe4e9d9
SHA1caf0998abfb84e6d5599b9463e6209e16bd08322
SHA256c07c051deedc1a23268fa2a3fa8eb0a233da0ef1c1d0421806d05bbf9161309d
SHA5129f0f045042c2380c2a748098ead47f8c6323dedaed5e42d9174ca7e0b7c87d5219514c3f20dd1609c48c89f0e140699e38a65d9dce4d37ddc9616a011adfd94f
-
Filesize
3.6MB
MD50de1fdfdd47e717da35f524f6fe4e9d9
SHA1caf0998abfb84e6d5599b9463e6209e16bd08322
SHA256c07c051deedc1a23268fa2a3fa8eb0a233da0ef1c1d0421806d05bbf9161309d
SHA5129f0f045042c2380c2a748098ead47f8c6323dedaed5e42d9174ca7e0b7c87d5219514c3f20dd1609c48c89f0e140699e38a65d9dce4d37ddc9616a011adfd94f
-
Filesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
Filesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5101c3b86ef1c02c62b7d862c2a47363b
SHA13c5e8d309610e5ba41b6b9788bfb826e45864b46
SHA2569174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c
SHA512d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b