Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
29/10/2023, 18:40
Errors
General
-
Target
Dayload_V8.exe
-
Size
1.7MB
-
MD5
2e377d5dd89e8db32b18d7dbf1797b09
-
SHA1
b30a259fa9fdbdd6fcd6cb21b6d52c7c25e4a978
-
SHA256
a0d005522770b6dae72fc3f8e80a958d7d209b35c9504c1dfd4c749396bc41bb
-
SHA512
71d06a530f72c5f6c3fd5af5f12edd8af478c05343581a6cfbec63e32cb4ad2a583639313fdb2fa324385bb0de5dbe0c2bc7f6ee0c6b8f5e14f5621ed5058fa7
-
SSDEEP
49152:p/jwLjLXC45bdXzX3jTDYjg+ZMF+HYmTYF:pjwXHNjTAgNQY+YF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Kills process with taskkill 7 IoCs
-
Modifies data under HKEY_USERS 44 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Dayload_V8.exe"C:\Users\Admin\AppData\Local\Temp\Dayload_V8.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EB4A.tmp\EB5B.tmp\EB5C.bat C:\Users\Admin\AppData\Local\Temp\Dayload_V8.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\ProcessTerminator.exeProcessTerminator.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\Desktop\Dayload.exeDayload.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe > nul 2>&15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe > nul 2>&15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im procexp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe > nul 2>&15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im procexp64.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe > nul 2>&15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im dwm.exe > nul 2>&15⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im dwm.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im winlogon.exe > nul 2>&15⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im winlogon.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im fontdrvhost.exe > nul 2>&15⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im fontdrvhost.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x46c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD5e4e6cc2e53e248bd6d40cc32bf8f329b
SHA1d51b57272521a1dbcbf70c9ed27e6f7bba87810e
SHA256fbd2f578330e63666a46f0d2a5426d6550a8071902ffc3a9c4e13ed8f0a9a428
SHA512e405776685de9cf23a8263685dca8e42b6cbe79cb8e73a136ece6407bbc59c24e38445f0575417467a3a06c1a1e2043caeea941f7e47bf5bb1d859fad9a791ef
-
Filesize
67KB
MD58322be3a6bb09b1ddf65bf218ee6e343
SHA11422e47f8bc8b88f3dda4be8ecc85fd941d7dc14
SHA2560f28971429a8f4ac51608b6069f837ea0c9ca6322e9c809298ed35f3c6ad4a03
SHA512b4fcb1747d38b08753209e14f691f8c03de429ba35c4f81282f1bf2298b5d7e62595b629058d23b1a58ed75fc9cc8c42371394d756bd8337deb58b393b8cf509
-
Filesize
122KB
MD514ae7cc3a92b15ee2f7fcb6e844153ff
SHA10fed2b8182efd39f1e86eddec10392af61d14e27
SHA2563a5f54f6d6c5e1e5577fd15be16d9e5dfb95ff4b3323ee21a8f47c684089933a
SHA512087121e9f8698acfe5f11a63762defd28975856cab575cb50d652d4b673e1a4902c71978d11919598ceabfeec929a1a739e96eb8706b9c91b158a9954f289138
-
Filesize
122KB
MD514ae7cc3a92b15ee2f7fcb6e844153ff
SHA10fed2b8182efd39f1e86eddec10392af61d14e27
SHA2563a5f54f6d6c5e1e5577fd15be16d9e5dfb95ff4b3323ee21a8f47c684089933a
SHA512087121e9f8698acfe5f11a63762defd28975856cab575cb50d652d4b673e1a4902c71978d11919598ceabfeec929a1a739e96eb8706b9c91b158a9954f289138
-
Filesize
898KB
MD5f83746b98014aa2374a79758dafdf409
SHA10520b6ec402963b015ae060b225f30d41a88ab05
SHA256e1118fc5ca6a4bcfca0dcbf7b4705bbea6b7155fd58442dc870a61a866bb413d
SHA512ee0604705c92a2b605986a2263c4d342fcfe8b002c0fcf634d5a52d811e5b2d00cef80f579c0d44e291ea15a3048bf384fe0dba9222160c736987c90b7c5edff
-
Filesize
28KB
MD5024ec42976c33828a8c4a55560634118
SHA14a11f5e4331228d3d0270b11aa36010654659268
SHA2565946c15a59a5e9f811dec8a81f0b15551fbed38aeda1aa9f0f369edb4570c0fe
SHA512e7f8c5d5669bff1da338c4c394ad2022475154068592c1c13eb0785a9541340ec8fa78632c0baf990e0c335cb769771660c438fc8d71072e1e55058ab9499353
-
Filesize
28KB
MD5024ec42976c33828a8c4a55560634118
SHA14a11f5e4331228d3d0270b11aa36010654659268
SHA2565946c15a59a5e9f811dec8a81f0b15551fbed38aeda1aa9f0f369edb4570c0fe
SHA512e7f8c5d5669bff1da338c4c394ad2022475154068592c1c13eb0785a9541340ec8fa78632c0baf990e0c335cb769771660c438fc8d71072e1e55058ab9499353
-
Filesize
171KB
MD56d47ca15e34ce5b3cd1a436226885aaa
SHA133825aec7b88b94ff2926ae367375fc814071b01
SHA256f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e
SHA512587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426
-
Filesize
62KB
MD5aa51acf42986f844d36e4e7807f13239
SHA16284203a35fe0459204fc67d1cc4ec6b329a4ed0
SHA25641dd9842b8ba31009ee80c0b382dc2136923d6077767b5fe35dfacce0634c5bc
SHA512b724fac28a36b005c4a21dee9fd181bb85eced1c03903cbd81f04822f4adcd95042db7c58ba6e7c92c901f6a33c902ecd9dbeaec4c08c6a7ffd9e2ad57bc5e71
-
Filesize
898KB
MD5f83746b98014aa2374a79758dafdf409
SHA10520b6ec402963b015ae060b225f30d41a88ab05
SHA256e1118fc5ca6a4bcfca0dcbf7b4705bbea6b7155fd58442dc870a61a866bb413d
SHA512ee0604705c92a2b605986a2263c4d342fcfe8b002c0fcf634d5a52d811e5b2d00cef80f579c0d44e291ea15a3048bf384fe0dba9222160c736987c90b7c5edff
-
Filesize
2.1MB
MD5e628baf3be74ffe67e71a27ca3865156
SHA105b75dee03400aea8812b9342e764e909667ebbd
SHA256b9921954681ceb3f01a03071f87aaa33116e0ab0a1532309dced36a0085471b7
SHA512d5e1a61bb98e35a996cf1d465bc6b922a0aac7d35713852dac43ec54cd34240dcf31d1843c4eed45c251dcde44399b7af1e0262c140577f148b3b706669cfd8e
-
Filesize
2.1MB
MD5e628baf3be74ffe67e71a27ca3865156
SHA105b75dee03400aea8812b9342e764e909667ebbd
SHA256b9921954681ceb3f01a03071f87aaa33116e0ab0a1532309dced36a0085471b7
SHA512d5e1a61bb98e35a996cf1d465bc6b922a0aac7d35713852dac43ec54cd34240dcf31d1843c4eed45c251dcde44399b7af1e0262c140577f148b3b706669cfd8e
-
Filesize
62KB
MD5aa51acf42986f844d36e4e7807f13239
SHA16284203a35fe0459204fc67d1cc4ec6b329a4ed0
SHA25641dd9842b8ba31009ee80c0b382dc2136923d6077767b5fe35dfacce0634c5bc
SHA512b724fac28a36b005c4a21dee9fd181bb85eced1c03903cbd81f04822f4adcd95042db7c58ba6e7c92c901f6a33c902ecd9dbeaec4c08c6a7ffd9e2ad57bc5e71
-
Filesize
171KB
MD56d47ca15e34ce5b3cd1a436226885aaa
SHA133825aec7b88b94ff2926ae367375fc814071b01
SHA256f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e
SHA512587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426
-
Filesize
171KB
MD56d47ca15e34ce5b3cd1a436226885aaa
SHA133825aec7b88b94ff2926ae367375fc814071b01
SHA256f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e
SHA512587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426
-
Filesize
171KB
MD56d47ca15e34ce5b3cd1a436226885aaa
SHA133825aec7b88b94ff2926ae367375fc814071b01
SHA256f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e
SHA512587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
1.8MB
-
Filesize
1.8MB