Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe
Resource
win10v2004-20230915-en
General
-
Target
89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe
-
Size
1.4MB
-
MD5
8e42f97ee888aeac494f7caabc21ae8e
-
SHA1
ee3a142528c8e9108982ff28934580d635e7dfff
-
SHA256
89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465
-
SHA512
e0d4f7087e8b85871e6cc0dc5a80845881893ba1f0226dd10143c3c938fd422dd61224a2a6646bf2211fafb9d352c7b93dfc1d5683d5c64e6aa26211eccd2cd5
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1380 powershell.exe 1380 powershell.exe 4120 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3668 WMIC.exe Token: SeSecurityPrivilege 3668 WMIC.exe Token: SeTakeOwnershipPrivilege 3668 WMIC.exe Token: SeLoadDriverPrivilege 3668 WMIC.exe Token: SeSystemProfilePrivilege 3668 WMIC.exe Token: SeSystemtimePrivilege 3668 WMIC.exe Token: SeProfSingleProcessPrivilege 3668 WMIC.exe Token: SeIncBasePriorityPrivilege 3668 WMIC.exe Token: SeCreatePagefilePrivilege 3668 WMIC.exe Token: SeBackupPrivilege 3668 WMIC.exe Token: SeRestorePrivilege 3668 WMIC.exe Token: SeShutdownPrivilege 3668 WMIC.exe Token: SeDebugPrivilege 3668 WMIC.exe Token: SeSystemEnvironmentPrivilege 3668 WMIC.exe Token: SeRemoteShutdownPrivilege 3668 WMIC.exe Token: SeUndockPrivilege 3668 WMIC.exe Token: SeManageVolumePrivilege 3668 WMIC.exe Token: 33 3668 WMIC.exe Token: 34 3668 WMIC.exe Token: 35 3668 WMIC.exe Token: 36 3668 WMIC.exe Token: SeIncreaseQuotaPrivilege 3668 WMIC.exe Token: SeSecurityPrivilege 3668 WMIC.exe Token: SeTakeOwnershipPrivilege 3668 WMIC.exe Token: SeLoadDriverPrivilege 3668 WMIC.exe Token: SeSystemProfilePrivilege 3668 WMIC.exe Token: SeSystemtimePrivilege 3668 WMIC.exe Token: SeProfSingleProcessPrivilege 3668 WMIC.exe Token: SeIncBasePriorityPrivilege 3668 WMIC.exe Token: SeCreatePagefilePrivilege 3668 WMIC.exe Token: SeBackupPrivilege 3668 WMIC.exe Token: SeRestorePrivilege 3668 WMIC.exe Token: SeShutdownPrivilege 3668 WMIC.exe Token: SeDebugPrivilege 3668 WMIC.exe Token: SeSystemEnvironmentPrivilege 3668 WMIC.exe Token: SeRemoteShutdownPrivilege 3668 WMIC.exe Token: SeUndockPrivilege 3668 WMIC.exe Token: SeManageVolumePrivilege 3668 WMIC.exe Token: 33 3668 WMIC.exe Token: 34 3668 WMIC.exe Token: 35 3668 WMIC.exe Token: 36 3668 WMIC.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4216 wrote to memory of 2516 4216 89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe 88 PID 4216 wrote to memory of 2516 4216 89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe 88 PID 4216 wrote to memory of 2516 4216 89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe 88 PID 2516 wrote to memory of 4732 2516 cmd.exe 91 PID 2516 wrote to memory of 4732 2516 cmd.exe 91 PID 2516 wrote to memory of 4732 2516 cmd.exe 91 PID 4732 wrote to memory of 1180 4732 cmd.exe 92 PID 4732 wrote to memory of 1180 4732 cmd.exe 92 PID 4732 wrote to memory of 1180 4732 cmd.exe 92 PID 2516 wrote to memory of 1860 2516 cmd.exe 93 PID 2516 wrote to memory of 1860 2516 cmd.exe 93 PID 2516 wrote to memory of 1860 2516 cmd.exe 93 PID 1860 wrote to memory of 3668 1860 cmd.exe 94 PID 1860 wrote to memory of 3668 1860 cmd.exe 94 PID 1860 wrote to memory of 3668 1860 cmd.exe 94 PID 2516 wrote to memory of 1380 2516 cmd.exe 96 PID 2516 wrote to memory of 1380 2516 cmd.exe 96 PID 2516 wrote to memory of 1380 2516 cmd.exe 96 PID 2516 wrote to memory of 4120 2516 cmd.exe 106 PID 2516 wrote to memory of 4120 2516 cmd.exe 106 PID 2516 wrote to memory of 4120 2516 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe"C:\Users\Admin\AppData\Local\Temp\89500d95e289944c5685985075ed0c611d4cd6fdd03f8b35d6eb0f4aefd14465.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵PID:1180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵PID:4388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵PID:2176
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
11KB
MD51a6d986f55a10d3037e2a8ae67e71cd9
SHA188b71a454b4fc10b58d469fe69bd48335d5e4d1b
SHA256731676a77fdc0e8ad2e1fe4789ec2efa54a09e4b92d004c2b342f0dfed308c95
SHA51235b860711224371b843fca73f87855e90f21864c978420fc0c0fa94f282374860780235546df23934161e49793dcb5426049e4c4a9c2f94e132e5a7b0f1a447e
-
Filesize
11KB
MD5d126569153a88d11769214480a900938
SHA10a2963cf6a70962b658cd8cedbdcf39d4412beac
SHA256ce62aaa80e5bda34ca254d527eb8ce25ad9787d2ca987c63732003c5c9bd33ae
SHA512141b9a50350c72475edf2ba4c508b091b30b28f1406b4703e741864c3338ea93295ed9552346c218dac440ac5d133f3ed82ef69d7e7463c72f6101e3691058a9
-
Filesize
11KB
MD5b716252a6c42cbe509f8159129327514
SHA1d3c6b11b15b4a2d961556ac9cbaedb9290b4e75f
SHA256f496994e12e043c8c390771b0d6c827a242c896b6ec610c716c2ec95ee9ff04a
SHA512a7eaed8eaa47e556b8a11795be28a769e9373489ffa9753173e2f30f6f23613c2b65dd02c9b746f790d383a5d9f01cb3c798ce27424ada313655fff55944fa56
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317