Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
197s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2023, 01:44
Static task
static1
Behavioral task
behavioral1
Sample
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe
Resource
win10v2004-20231023-en
General
-
Target
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe
-
Size
6.9MB
-
MD5
d2f32b3bf5e7c07ac6ee4918f93c4da3
-
SHA1
8035c6f1214d806a6f2181c41ae24c21ef1c4913
-
SHA256
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681
-
SHA512
5622ae6a36b3fcfc4560ecebfc0bdc446976c6e262322d345888b65e5ead956ff455771fb7ee736b5f1cd8134d2753e6cc6641c39c30b5e787256c23fa3927b0
-
SSDEEP
98304:bBax0HTtGRoXuo73LIDUae0OEHtpKMbaqALvQIIxNiRo2Zo/AE9aF55FP4elzQH+:AmttF3EDv3p/baqCI3V2W/eL9QL9w
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 4888 created 3384 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 49 PID 4888 created 3384 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 49 PID 4888 created 3384 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 49 PID 4888 created 3384 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 49 PID 4888 created 3384 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 49 PID 4888 created 3384 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 49 -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2536 updater.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1004 sc.exe 3608 sc.exe 4872 sc.exe 2292 sc.exe 2948 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1400 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 5104 powershell.exe 5104 powershell.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 4888 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 5104 powershell.exe Token: SeShutdownPrivilege 4436 powercfg.exe Token: SeCreatePagefilePrivilege 4436 powercfg.exe Token: SeShutdownPrivilege 3492 powercfg.exe Token: SeCreatePagefilePrivilege 3492 powercfg.exe Token: SeShutdownPrivilege 1240 powercfg.exe Token: SeCreatePagefilePrivilege 1240 powercfg.exe Token: SeShutdownPrivilege 2276 powercfg.exe Token: SeCreatePagefilePrivilege 2276 powercfg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2292 2204 cmd.exe 95 PID 2204 wrote to memory of 2292 2204 cmd.exe 95 PID 2204 wrote to memory of 2948 2204 cmd.exe 96 PID 2204 wrote to memory of 2948 2204 cmd.exe 96 PID 2204 wrote to memory of 1004 2204 cmd.exe 98 PID 2204 wrote to memory of 1004 2204 cmd.exe 98 PID 2204 wrote to memory of 3608 2204 cmd.exe 99 PID 2204 wrote to memory of 3608 2204 cmd.exe 99 PID 2204 wrote to memory of 4872 2204 cmd.exe 100 PID 2204 wrote to memory of 4872 2204 cmd.exe 100 PID 2528 wrote to memory of 4436 2528 cmd.exe 103 PID 2528 wrote to memory of 4436 2528 cmd.exe 103 PID 2528 wrote to memory of 3492 2528 cmd.exe 107 PID 2528 wrote to memory of 3492 2528 cmd.exe 107 PID 2528 wrote to memory of 1240 2528 cmd.exe 108 PID 2528 wrote to memory of 1240 2528 cmd.exe 108 PID 2528 wrote to memory of 2276 2528 cmd.exe 111 PID 2528 wrote to memory of 2276 2528 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe"C:\Users\Admin\AppData\Local\Temp\666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2292
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2948
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1004
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3608
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4872
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:1704
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\ecuijhvxegrk.xml"2⤵
- Creates scheduled task(s)
PID:1400
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3884
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Executes dropped EXE
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52d74a93f315407da6615191811f2f1f0
SHA19daf7d83ca91ab597e1b0d7b750446eb2e3d9993
SHA2566c6c891f987bac45e4bd1d5d0077d180186286bf9f875483c15f3823aedaa60e
SHA5125793c87b478cf8f6685eab27d590ca2d86aedf96a4e5bade64331ece11d8690bb6fcc27c442771444e62ad312ac3eeabf198034bd15d18588b94510d650f16ce
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe