Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230703-en
General
-
Target
file.exe
-
Size
2.3MB
-
MD5
cdce958317e838eb09ec7e678ba1995c
-
SHA1
30d5a9b4f1083e2f188b7ce2d2c24fd63c0b413b
-
SHA256
9dca904c03551d33f96618bae69cb43811bd5072826ead4e1b7072229451a376
-
SHA512
79e021418a99c5ed38a0995887b9bd7711bbe9b299113c76a87f02eb111c9211c350b7d5b2580ca40a81bd110d53a899a11c4b9e61e3338b90ac4ab84dae81f2
-
SSDEEP
49152:OlJiXsQqb2AkydMeCL9+feqU9QWsNNHrT:OH7dj3O8mqkQNNHrT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation ELRX.exe -
Executes dropped EXE 1 IoCs
pid Process 3412 ELRX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2888 3412 WerFault.exe 87 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3988 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4312 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 220 powershell.exe 4916 powershell.exe 220 powershell.exe 4916 powershell.exe 4044 powershell.exe 3668 powershell.exe 4044 powershell.exe 3668 powershell.exe 3412 ELRX.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5060 file.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 3412 ELRX.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeDebugPrivilege 3668 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4916 5060 file.exe 80 PID 5060 wrote to memory of 4916 5060 file.exe 80 PID 5060 wrote to memory of 220 5060 file.exe 81 PID 5060 wrote to memory of 220 5060 file.exe 81 PID 5060 wrote to memory of 2308 5060 file.exe 84 PID 5060 wrote to memory of 2308 5060 file.exe 84 PID 2308 wrote to memory of 4312 2308 cmd.exe 86 PID 2308 wrote to memory of 4312 2308 cmd.exe 86 PID 2308 wrote to memory of 3412 2308 cmd.exe 87 PID 2308 wrote to memory of 3412 2308 cmd.exe 87 PID 3412 wrote to memory of 3668 3412 ELRX.exe 88 PID 3412 wrote to memory of 3668 3412 ELRX.exe 88 PID 3412 wrote to memory of 4044 3412 ELRX.exe 90 PID 3412 wrote to memory of 4044 3412 ELRX.exe 90 PID 3412 wrote to memory of 716 3412 ELRX.exe 92 PID 3412 wrote to memory of 716 3412 ELRX.exe 92 PID 716 wrote to memory of 3988 716 cmd.exe 94 PID 716 wrote to memory of 3988 716 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4312
-
-
C:\ProgramData\CodeShorts\ELRX.exe"C:\ProgramData\CodeShorts\ELRX.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"5⤵
- Creates scheduled task(s)
PID:3988
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3412 -s 21044⤵
- Program crash
PID:2888
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3412 -ip 34121⤵PID:3856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707.0MB
MD5d33d001cf9f16632b65b2efac27bfde7
SHA1dbfab5031aaced62b5d7970e10fc81174f299149
SHA2562b12e99966161ea238c78a01fb414d6949539bc5bbcc62c1f586316dc8373af9
SHA51236a1a9008747da970f2a9696e0e4b4a3778d99c3328a856e455555684a57fca88cf6698b9c232f6e73419f9e1e6827ae0351ffc8619a1cd2152db8d62c83bc57
-
Filesize
707.0MB
MD5d33d001cf9f16632b65b2efac27bfde7
SHA1dbfab5031aaced62b5d7970e10fc81174f299149
SHA2562b12e99966161ea238c78a01fb414d6949539bc5bbcc62c1f586316dc8373af9
SHA51236a1a9008747da970f2a9696e0e4b4a3778d99c3328a856e455555684a57fca88cf6698b9c232f6e73419f9e1e6827ae0351ffc8619a1cd2152db8d62c83bc57
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5f0a41fc9c1123bb127e55ecc66c8f052
SHA157152411758fa3df2623cc8a4df6d9fea73652f8
SHA256a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745
SHA512e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
142B
MD51ef93708bec6e53252945d9fc4a83f74
SHA14fcfc90b2039d2eb36f71ff648e111f762c18c0b
SHA2567df847a4da99b6fa4daf66d7309bded215611653ee98041095df6f2455e1520f
SHA512bf87dc0f12de615a078d10a8a0c12b65ba64a6a70a4b5e73430ee17bd99f18abadd9f3bbf30e443973cf21f39efd40007529b3b46acf18542e07744395e7704a