Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15/07/2023, 20:01
Static task
static1
Behavioral task
behavioral1
Sample
Decent_Sampler-1.8.12.0-Windows.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Decent_Sampler-1.8.12.0-Windows.exe
Resource
win10v2004-20230703-en
General
-
Target
Decent_Sampler-1.8.12.0-Windows.exe
-
Size
31.7MB
-
MD5
1fb5e8893336b758740944ea0f2965a8
-
SHA1
8a849d422806fac01693ef44402bdf9ec14d34ba
-
SHA256
8ffc45ed98a4e16a0e2e58eb9e35f6f73a3a7520adb2e7e9360d7acead3a5f8c
-
SHA512
61acb91b0eaeb452604bcddf3004c37aafdd01d89b9532b40a4471a975414c3531eff9ae43243b1ccc418b64e59c5ae8d4bcebb6a7a0cd9874a7274d6537b44d
-
SSDEEP
786432:t+CMjkyOX0+Q/JQViulnYrsDDc4u3Mwh1+G1opCMi2KH:5GLGkWViu6I3Fw04oQMi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1996 Decent_Sampler-1.8.12.0-Windows.tmp -
Loads dropped DLL 2 IoCs
pid Process 1712 Decent_Sampler-1.8.12.0-Windows.exe 1996 Decent_Sampler-1.8.12.0-Windows.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\VSTPlugins\is-1SPDU.tmp Decent_Sampler-1.8.12.0-Windows.tmp File created C:\Program Files\Common Files\VST3\is-JJTMK.tmp Decent_Sampler-1.8.12.0-Windows.tmp File opened for modification C:\Program Files\Decent Sampler\unins000.dat Decent_Sampler-1.8.12.0-Windows.tmp File opened for modification C:\Program Files\VSTPlugins\DecentSampler.dll Decent_Sampler-1.8.12.0-Windows.tmp File created C:\Program Files\Decent Sampler\unins000.dat Decent_Sampler-1.8.12.0-Windows.tmp File created C:\Program Files\Decent Sampler\is-ISCLL.tmp Decent_Sampler-1.8.12.0-Windows.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dspreset\ = "Decent Sampler" Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler Decent_Sampler-1.8.12.0-Windows.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\shell\open\command\ = "\"C:\\Program Files\\Decent Sampler\\DecentSampler.exe\" \"%1\"" Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dslibrary Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dsbundle Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\DefaultIcon Decent_Sampler-1.8.12.0-Windows.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\DefaultIcon\ = "C:\\Program Files\\Decent Sampler\\DecentSampler.exe,0" Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dspreset Decent_Sampler-1.8.12.0-Windows.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dslibrary\ = "Decent Sampler" Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\shell\open Decent_Sampler-1.8.12.0-Windows.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dsbundle\ = "Decent Sampler" Decent_Sampler-1.8.12.0-Windows.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\ = "Program Decent Sampler" Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\shell\open\command Decent_Sampler-1.8.12.0-Windows.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Decent Sampler\shell Decent_Sampler-1.8.12.0-Windows.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1996 Decent_Sampler-1.8.12.0-Windows.tmp 1996 Decent_Sampler-1.8.12.0-Windows.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1996 Decent_Sampler-1.8.12.0-Windows.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28 PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28 PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28 PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28 PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28 PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28 PID 1712 wrote to memory of 1996 1712 Decent_Sampler-1.8.12.0-Windows.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Decent_Sampler-1.8.12.0-Windows.exe"C:\Users\Admin\AppData\Local\Temp\Decent_Sampler-1.8.12.0-Windows.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\is-JR9LK.tmp\Decent_Sampler-1.8.12.0-Windows.tmp"C:\Users\Admin\AppData\Local\Temp\is-JR9LK.tmp\Decent_Sampler-1.8.12.0-Windows.tmp" /SL5="$80122,32361468,831488,C:\Users\Admin\AppData\Local\Temp\Decent_Sampler-1.8.12.0-Windows.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1996
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5bbd72aa568e9f2c3e67f5c6db24e9d3e
SHA15a6bbbcfaac32e7ad3d25d77f65efd3794cc83d3
SHA256ee8b8339f58e9ac39efe9b27c29bf9b5a6f09028f231c2f5f7e671760ee8622e
SHA512f94abb0e5bb0829472db638b5ec846e5580ec792fe0f21be6ea2745aa2c87b7a1782111dafb5350b2089bf672fcdfd08059d750ce87f2448761c95c983e14741
-
Filesize
3.0MB
MD5bbd72aa568e9f2c3e67f5c6db24e9d3e
SHA15a6bbbcfaac32e7ad3d25d77f65efd3794cc83d3
SHA256ee8b8339f58e9ac39efe9b27c29bf9b5a6f09028f231c2f5f7e671760ee8622e
SHA512f94abb0e5bb0829472db638b5ec846e5580ec792fe0f21be6ea2745aa2c87b7a1782111dafb5350b2089bf672fcdfd08059d750ce87f2448761c95c983e14741
-
Filesize
3.1MB
MD58a54aa9cbfa07bd0400258b60aa22fb8
SHA173a6fda9a8d2ccbe041a435706e2fa9090aaa89c
SHA256af114b34c9c332e19cc9ddc205999924a2cb5d46d7a213ec87d3679f778b05b5
SHA5123e98a46144461584f3f4d8f37dc777576fa0d831240dfc02e60d7e6d2d18fa769bbac58888410d96c5035ce0effbc8539d681daf1ba97add746a6bb4f3873da1
-
Filesize
3.0MB
MD5bbd72aa568e9f2c3e67f5c6db24e9d3e
SHA15a6bbbcfaac32e7ad3d25d77f65efd3794cc83d3
SHA256ee8b8339f58e9ac39efe9b27c29bf9b5a6f09028f231c2f5f7e671760ee8622e
SHA512f94abb0e5bb0829472db638b5ec846e5580ec792fe0f21be6ea2745aa2c87b7a1782111dafb5350b2089bf672fcdfd08059d750ce87f2448761c95c983e14741