Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2023, 06:54
Behavioral task
behavioral1
Sample
4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe
Resource
win10v2004-20230915-en
General
-
Target
4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe
-
Size
1.3MB
-
MD5
851e5c879e22248f985170716734c35f
-
SHA1
62e337a35f602214df52b0de96a45ce28b636e70
-
SHA256
4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97
-
SHA512
ab8b494895d27eb8f12beecbd412fb9653ffcc1b6ef5a35c8eec8c9bbe3355e0e8d6a4cad47ad5a3dc05c42065d208ec91ebdcef50f77809cf6fea6573201070
-
SSDEEP
24576:TVP4iQzePuruuXj/cjtkugLwnNM9bEjryZFmTcHAdyZbX62z9tywY3+Q:TWBj/cjt1OwNMhS+ZLgdIbX6K9tywq+
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1516 ~~3826132035043797866.tmp.exe 4876 svchost.exe 4468 ~~3826132035043797866.tmp.exe 4148 svchost.exe -
resource yara_rule behavioral2/memory/3412-0-0x0000000000400000-0x00000000005D8000-memory.dmp upx behavioral2/memory/2652-2-0x0000000000400000-0x00000000005D8000-memory.dmp upx behavioral2/memory/3412-33-0x0000000000400000-0x00000000005D8000-memory.dmp upx behavioral2/memory/3412-34-0x0000000000400000-0x00000000005D8000-memory.dmp upx behavioral2/memory/452-35-0x0000000000400000-0x00000000005D8000-memory.dmp upx behavioral2/memory/452-36-0x0000000000400000-0x00000000005D8000-memory.dmp upx -
Drops file in Program Files directory 54 IoCs
description ioc Process File opened for modification C:\Program Files\RestartPing.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe ~~3826132035043797866.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 4 IoCs
pid Process 3696 PING.EXE 2104 PING.EXE 2076 PING.EXE 4240 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4468 ~~3826132035043797866.tmp.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeBackupPrivilege 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeRestorePrivilege 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: 33 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeIncBasePriorityPrivilege 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: 33 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeIncBasePriorityPrivilege 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeBackupPrivilege 2652 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeRestorePrivilege 2652 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: 33 2652 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeIncBasePriorityPrivilege 2652 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: 33 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeIncBasePriorityPrivilege 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: 33 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeIncBasePriorityPrivilege 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeBackupPrivilege 452 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeRestorePrivilege 452 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: 33 452 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe Token: SeIncBasePriorityPrivilege 452 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4468 ~~3826132035043797866.tmp.exe 4468 ~~3826132035043797866.tmp.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3412 wrote to memory of 2652 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 86 PID 3412 wrote to memory of 2652 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 86 PID 3412 wrote to memory of 2652 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 86 PID 3412 wrote to memory of 1516 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 87 PID 3412 wrote to memory of 1516 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 87 PID 3412 wrote to memory of 1516 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 87 PID 1516 wrote to memory of 4876 1516 ~~3826132035043797866.tmp.exe 89 PID 1516 wrote to memory of 4876 1516 ~~3826132035043797866.tmp.exe 89 PID 1516 wrote to memory of 4876 1516 ~~3826132035043797866.tmp.exe 89 PID 4876 wrote to memory of 4468 4876 svchost.exe 90 PID 4876 wrote to memory of 4468 4876 svchost.exe 90 PID 4876 wrote to memory of 4468 4876 svchost.exe 90 PID 3412 wrote to memory of 452 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 93 PID 3412 wrote to memory of 452 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 93 PID 3412 wrote to memory of 452 3412 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 93 PID 452 wrote to memory of 2252 452 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 94 PID 452 wrote to memory of 2252 452 4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe 94 PID 2252 wrote to memory of 3696 2252 cmd.exe 96 PID 2252 wrote to memory of 3696 2252 cmd.exe 96 PID 2252 wrote to memory of 2104 2252 cmd.exe 97 PID 2252 wrote to memory of 2104 2252 cmd.exe 97 PID 2252 wrote to memory of 2076 2252 cmd.exe 100 PID 2252 wrote to memory of 2076 2252 cmd.exe 100 PID 2252 wrote to memory of 4240 2252 cmd.exe 102 PID 2252 wrote to memory of 4240 2252 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe"C:\Users\Admin\AppData\Local\Temp\4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exePECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~3826132035043797866.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exe""#102|SCRIPT"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\~~3826132035043797866.tmp.exe"C:\Users\Admin\AppData\Local\Temp\~~3826132035043797866.tmp.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\~~3826132035043797866.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\~~3826132035043797866.tmp.exe"C:\Users\Admin\AppData\Local\Temp\~~3826132035043797866.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4ca9d6fc21d1f304b88ff024fc8131074a3be1cc0c147b2d1bb4193e364d0b97.exePECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~8893492003406526727.cmd"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SYSTEM32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\~8893492003406526727.cmd"3⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3696
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2104
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2076
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:4240
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404B
MD5868086aaccdd8c75900f59f79ff3a930
SHA106814acaa40070d8d80c8746fd72bac81a3949f1
SHA256664c9d720deb2d9cac39780d8549fd32632518eec1a904712334756b2c0bf14e
SHA512c300fe647674d6c1bded7e95ad5a91e5b2dc8905a537e3b6de44873d88254a53418a7989457aa81577b9dd2a4d630b96fbf17928390b813911d4df6143c8fe4c
-
Filesize
404B
MD5868086aaccdd8c75900f59f79ff3a930
SHA106814acaa40070d8d80c8746fd72bac81a3949f1
SHA256664c9d720deb2d9cac39780d8549fd32632518eec1a904712334756b2c0bf14e
SHA512c300fe647674d6c1bded7e95ad5a91e5b2dc8905a537e3b6de44873d88254a53418a7989457aa81577b9dd2a4d630b96fbf17928390b813911d4df6143c8fe4c
-
Filesize
1013KB
MD5a681dcd188b1845fda9f078c1a3b2138
SHA1c8552e6bd406397323490a2b01792f8878588183
SHA256ebacd005c0b543bbf6fa1a8468285258be60c2b201ccf6e7b972f8f4645c4443
SHA512350cc3e979c897af62271d6902b5598d8c5610524f45983913870f2aff62bf2552f552eb8894f74238fdfca565e769a605f48ddf3c8ff97a32f137ab5ea142bf
-
Filesize
1013KB
MD5a681dcd188b1845fda9f078c1a3b2138
SHA1c8552e6bd406397323490a2b01792f8878588183
SHA256ebacd005c0b543bbf6fa1a8468285258be60c2b201ccf6e7b972f8f4645c4443
SHA512350cc3e979c897af62271d6902b5598d8c5610524f45983913870f2aff62bf2552f552eb8894f74238fdfca565e769a605f48ddf3c8ff97a32f137ab5ea142bf
-
Filesize
1.0MB
MD51d886abc09404b92a7ff409f702ab5e3
SHA10ce1d79cecd30972f65ba36ba8764a61c59bbfaa
SHA256313000d7b516c9213eea24411c564e65fd717819f678f702efeb8e485b06a66b
SHA512276db90a7ad862afeb37e2a205276979603507f8d4a56b86bb114931db9f65f902e4643220737c8eb86829457273b838f26585da14cb766cfe432d2297975f92
-
Filesize
1.0MB
MD51d886abc09404b92a7ff409f702ab5e3
SHA10ce1d79cecd30972f65ba36ba8764a61c59bbfaa
SHA256313000d7b516c9213eea24411c564e65fd717819f678f702efeb8e485b06a66b
SHA512276db90a7ad862afeb37e2a205276979603507f8d4a56b86bb114931db9f65f902e4643220737c8eb86829457273b838f26585da14cb766cfe432d2297975f92
-
Filesize
35KB
MD513e083a9d53e948803694a603e69081a
SHA15f0926b43c970edad8b969cbec9cfebb5ad0a971
SHA256305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5
SHA512a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814
-
Filesize
35KB
MD513e083a9d53e948803694a603e69081a
SHA15f0926b43c970edad8b969cbec9cfebb5ad0a971
SHA256305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5
SHA512a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814
-
Filesize
35KB
MD513e083a9d53e948803694a603e69081a
SHA15f0926b43c970edad8b969cbec9cfebb5ad0a971
SHA256305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5
SHA512a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814