Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2023, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
187flame.jpg
Resource
win10v2004-20230915-en
Behavioral task
behavioral2
Sample
187flame.jpg
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral3
Sample
187flame.jpg
Resource
ubuntu1804-amd64-20230831-en
Errors
General
-
Target
187flame.jpg
-
Size
120KB
-
MD5
7177ec3221bf3fff41dbbda2fbb0208f
-
SHA1
f17740158904c9a6aa141d142ab8fe776941b275
-
SHA256
db90264acfb6058bb4066a0faeafaf292b4bc7fdbc952500621a6b058a03d478
-
SHA512
e788f52b9ce7df34f5bf3cfbe1dab00986fde6a504de6f46ea3734b9fba52efbea678ced4feb5a5fc2edd06b0dd7c5f6c0117874b2632474988faf5dc0466288
-
SSDEEP
1536:qPVEWLelxCdVcdEmgqqUsIp2y7JrYPR1CbTXUC+pDH5yzX/jDBKg4vHn2qzTNGfO:OdWW6CmD2KYTCbTkC+NkzPvBKrNx
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml bootim.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml bootim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3584 bootim.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 3584 bootim.exe Token: SeTakeOwnershipPrivilege 3584 bootim.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1080 LogonUI.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\187flame.jpg1⤵PID:5036
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3957055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1080
-
C:\Windows\system32\bootim.exebootim.exe /startpage:11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5086274b1d586cec56fda56f80d17d217
SHA16b9bd0cdf05c6546fd7bfecd9981a2e7f1488066
SHA256409bc0e56b5e99404d14432e1e4876505660e35eae8186d1769c4bae397fe17c
SHA51249be605a2b378414ce0d0b2a1c10bd3fdba3897c40316720a81d25c19cfe5a14846f1e84ef77f877b6f7c716ef974a6808d57dd2d9544600d3b3ce9bbe3dbd45