Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 09:13
Behavioral task
behavioral1
Sample
8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Resource
win10v2004-20230915-en
General
-
Target
8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
-
Size
536KB
-
MD5
04ccd586d42e6bc956b499ee4d513294
-
SHA1
a0ae681bc5b8d15ccc47f523ecd951ef13b60e6f
-
SHA256
8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632
-
SHA512
9da52eb1168a0396b9e268ef7cc7ede7fe7635b8c931977846d6853e1531f36602d5b37a00b37156af90ed05de7b74bbbff6e15b87a75096a96f40253abd8c89
-
SSDEEP
12288:vhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:vdQyDL9xp/BGA1RkmOkx2LF
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\WS70A7zRA.sys cacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe -
Executes dropped EXE 1 IoCs
pid Process 1556 cacls.exe -
resource yara_rule behavioral2/memory/4172-0-0x00000000004B0000-0x00000000005B2000-memory.dmp upx behavioral2/memory/4172-17-0x00000000004B0000-0x00000000005B2000-memory.dmp upx behavioral2/memory/4172-34-0x00000000004B0000-0x00000000005B2000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\ \Windows\System32\N9r8Pzip8.sys cacls.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\476d18 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe File created C:\Windows\6ESm1aKCT.sys cacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 cacls.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1500 timeout.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Internet Explorer\New Windows\Allow cacls.exe Set value (data) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com cacls.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 3188 Explorer.EXE 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3188 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe Token: SeTcbPrivilege 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe Token: SeDebugPrivilege 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe Token: SeDebugPrivilege 3188 Explorer.EXE Token: SeTcbPrivilege 3188 Explorer.EXE Token: SeDebugPrivilege 3188 Explorer.EXE Token: SeDebugPrivilege 3188 Explorer.EXE Token: SeDebugPrivilege 3188 Explorer.EXE Token: SeDebugPrivilege 3188 Explorer.EXE Token: SeIncBasePriorityPrivilege 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe Token: SeDebugPrivilege 1556 cacls.exe Token: SeDebugPrivilege 1556 cacls.exe Token: SeDebugPrivilege 1556 cacls.exe Token: SeShutdownPrivilege 3188 Explorer.EXE Token: SeCreatePagefilePrivilege 3188 Explorer.EXE Token: SeDebugPrivilege 1556 cacls.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe 1556 cacls.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1556 cacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4172 wrote to memory of 3188 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 54 PID 4172 wrote to memory of 3188 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 54 PID 4172 wrote to memory of 3188 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 54 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 1556 3188 Explorer.EXE 81 PID 3188 wrote to memory of 620 3188 Explorer.EXE 5 PID 3188 wrote to memory of 620 3188 Explorer.EXE 5 PID 3188 wrote to memory of 620 3188 Explorer.EXE 5 PID 3188 wrote to memory of 620 3188 Explorer.EXE 5 PID 3188 wrote to memory of 620 3188 Explorer.EXE 5 PID 4172 wrote to memory of 2128 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 85 PID 4172 wrote to memory of 2128 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 85 PID 4172 wrote to memory of 2128 4172 8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe 85 PID 2128 wrote to memory of 1500 2128 cmd.exe 87 PID 2128 wrote to memory of 1500 2128 cmd.exe 87 PID 2128 wrote to memory of 1500 2128 cmd.exe 87 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54 PID 1556 wrote to memory of 3188 1556 cacls.exe 54
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe"C:\Users\Admin\AppData\Local\Temp\8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1500
-
-
-
-
C:\cacls.exe"C:\cacls.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5a353590e06c976809f14906746109758
SHA13e38480e52434f1e193d9c84b8bdc133c4bd10c2
SHA256d6e40b4ed7c0bc8ac18b15d265ed2edab9efc260332ef0a98623f943be3a43fa
SHA51254a884652032040acda5c3a78d258bbe50362f77f2a3a364a8819cf8263282fcb21e35d7293eb62202ea82e96b5994fd072356d310df3037bec6a61c221796a6