Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2023, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe
Resource
win10v2004-20230220-en
General
-
Target
f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe
-
Size
7.1MB
-
MD5
f0b62ae5805c0231ba85e9b6e46202a8
-
SHA1
f87fb348da105b56366ffde3dc66a5643bd5e53d
-
SHA256
f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765
-
SHA512
edd5f48b9be4a60987da4fc3ce2c6384327a54bf222344e92b9e682458ab3b5d400e62eedd7a5313110f71231a1acb0e31031fb1a44d664d9bee07fa6b205a60
-
SSDEEP
98304:nCUrQTT+Aq3ku0P1fGRxTZqzdQ2F6a7AmpJmeYTa3x5+oKA/M:nC9XLzPeFOAmpweOa3x5+oJ/M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2460 DesktopSoftwareDistribution-ROMF91.4.0.1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DesktopSoftwareDistribution-ROMF91.4.0.1 = "C:\\ProgramData\\DesktopSoftwareDistribution-ROMF91.4.0.1\\DesktopSoftwareDistribution-ROMF91.4.0.1.exe" f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 632 wrote to memory of 2460 632 f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe 84 PID 632 wrote to memory of 2460 632 f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe"C:\Users\Admin\AppData\Local\Temp\f4c3ab3846a933fd0b6bd7f34019958706a1c70f4db7c1d20262587af2d70765.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632 -
C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exeC:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe2⤵
- Executes dropped EXE
PID:2460
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe
Filesize757.1MB
MD512c4542b8df229f8aa2ebaeaadd38266
SHA1fdad30e1d2a34379be6da931e1f9e404017c5562
SHA25664b546b3f4e245b7a09e4341df3a3a1a3faeddb50b93ef3a00d317a9ca04b2f1
SHA512e37cc6b0e5318d15b8ffacc54696d63b97c7f16a1426573e2be0232d37182633f0cd2880381e69ba089f7d9e738ce3784730ff55d9ffdd1f4c02dbf16a999aa4
-
C:\ProgramData\DesktopSoftwareDistribution-ROMF91.4.0.1\DesktopSoftwareDistribution-ROMF91.4.0.1.exe
Filesize757.1MB
MD512c4542b8df229f8aa2ebaeaadd38266
SHA1fdad30e1d2a34379be6da931e1f9e404017c5562
SHA25664b546b3f4e245b7a09e4341df3a3a1a3faeddb50b93ef3a00d317a9ca04b2f1
SHA512e37cc6b0e5318d15b8ffacc54696d63b97c7f16a1426573e2be0232d37182633f0cd2880381e69ba089f7d9e738ce3784730ff55d9ffdd1f4c02dbf16a999aa4