Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 21:00
Behavioral task
behavioral1
Sample
d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Resource
win10v2004-20230915-en
General
-
Target
d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
-
Size
536KB
-
MD5
46fd8fc7865ac89b6bfe276b104d87d6
-
SHA1
af73c435c1927659c6856e3c5fcf4a74ccd92a07
-
SHA256
d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762
-
SHA512
d28cf792001190166e7687fcdc3455941b6883f73da61524ee826107edd2531ef086a8021e47a4273170b49bedefd00b68af698da847bcc62d5fbbf5b2ffb121
-
SSDEEP
12288:8hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:8dQyDLzJTveuK0/Okx2LF
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3172 created 620 3172 Explorer.EXE 10 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\WNtira0qY.sys tskill.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 tskill.exe -
resource yara_rule behavioral2/memory/1760-0-0x0000000000310000-0x0000000000412000-memory.dmp upx behavioral2/memory/1760-26-0x0000000000310000-0x0000000000412000-memory.dmp upx behavioral2/memory/1760-34-0x0000000000310000-0x0000000000412000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\ \Windows\System32\PC62BJ.sys tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B tskill.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 tskill.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\1e21c0 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe File created C:\Windows\2ZKueTsQ7.sys tskill.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 tskill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 tskill.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName tskill.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3684 timeout.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" tskill.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ tskill.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" tskill.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" tskill.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix tskill.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" tskill.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" tskill.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" tskill.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing tskill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe 2684 tskill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3172 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe Token: SeTcbPrivilege 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe Token: SeDebugPrivilege 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe Token: SeDebugPrivilege 3172 Explorer.EXE Token: SeTcbPrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 3172 Explorer.EXE Token: SeIncBasePriorityPrivilege 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe Token: SeDebugPrivilege 2684 tskill.exe Token: SeDebugPrivilege 2684 tskill.exe Token: SeDebugPrivilege 2684 tskill.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3172 Explorer.EXE 3172 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1760 wrote to memory of 3172 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 66 PID 1760 wrote to memory of 3172 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 66 PID 1760 wrote to memory of 3172 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 66 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 2684 3172 Explorer.EXE 89 PID 3172 wrote to memory of 620 3172 Explorer.EXE 10 PID 3172 wrote to memory of 620 3172 Explorer.EXE 10 PID 3172 wrote to memory of 620 3172 Explorer.EXE 10 PID 3172 wrote to memory of 620 3172 Explorer.EXE 10 PID 3172 wrote to memory of 620 3172 Explorer.EXE 10 PID 1760 wrote to memory of 2936 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 93 PID 1760 wrote to memory of 2936 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 93 PID 1760 wrote to memory of 2936 1760 d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe 93 PID 2936 wrote to memory of 3684 2936 cmd.exe 95 PID 2936 wrote to memory of 3684 2936 cmd.exe 95 PID 2936 wrote to memory of 3684 2936 cmd.exe 95
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\ProgramData\Microsoft\tskill.exe"C:\ProgramData\Microsoft\tskill.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:3684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD52393d4f762fb671d92a59388109c24d4
SHA12e27346b7cff97619923c3e3199e68e7b91d142b
SHA2568d9373ebd69f42153b0b47dbda2174811599db91630651ca01627ac1795f8d56
SHA5129eaa9cd2813f8864244547fbc81ba6759f63e32f73ed2394dfa311ff60a9727e47dbdcf42d1aafb5e6c5a40a43a83ae32f5fa443083319f5b6b1e73457c59758
-
Filesize
24KB
MD52393d4f762fb671d92a59388109c24d4
SHA12e27346b7cff97619923c3e3199e68e7b91d142b
SHA2568d9373ebd69f42153b0b47dbda2174811599db91630651ca01627ac1795f8d56
SHA5129eaa9cd2813f8864244547fbc81ba6759f63e32f73ed2394dfa311ff60a9727e47dbdcf42d1aafb5e6c5a40a43a83ae32f5fa443083319f5b6b1e73457c59758
-
Filesize
11.6MB
MD55244c87dbafa1f764b258766005dea73
SHA184cb8b4fb3e0910cfecfb31b6fa54c16d940e703
SHA256077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40
SHA51254d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438
-
Filesize
14.8MB
MD5b1057fccc9bf7a0976c173bed8c7e2a0
SHA1fa7023b9e81f80adf10721ae995ec07ba0edd2f2
SHA2563ee17398c1784dac54e2a218aacf3e64819dab2e809040ffc261d0444e768582
SHA51204d4e64b137163ff9ffa8692495a2f91d80340ee6470c987e4413be3774ca5b344db8ea69d110642e10017e7868a086086f297441f3bc91038dee942d2b84a12