Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
Resource
win10v2004-20231020-en
General
-
Target
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
-
Size
3.3MB
-
MD5
f96e3442a8699d9014a31091484b44d4
-
SHA1
6d1a74404dde4bf2cb352164df93d5a2ddf12386
-
SHA256
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c
-
SHA512
02ad199440d259a98e9892ac43825c745a142421afde951a95c70ec435e9a6df321e4d12a6ea36f981f35eec2e4e34abc38746ea6e26109de3e32e725c82da94
-
SSDEEP
49152:/zeqaA8fG9XnjS6OnXds7aMdc1otuL8wRswq8LxS2TLJ9f8KywtrE3NYUxGC5BU7:b5gUVOXdP+c1EuzPLxNJywtgdExIUk0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1436 setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 3748 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3748 MSIEXEC.EXE Token: SeSecurityPrivilege 4452 msiexec.exe Token: SeCreateTokenPrivilege 3748 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3748 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3748 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3748 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3748 MSIEXEC.EXE Token: SeTcbPrivilege 3748 MSIEXEC.EXE Token: SeSecurityPrivilege 3748 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3748 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3748 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3748 MSIEXEC.EXE Token: SeSystemtimePrivilege 3748 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3748 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3748 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3748 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3748 MSIEXEC.EXE Token: SeBackupPrivilege 3748 MSIEXEC.EXE Token: SeRestorePrivilege 3748 MSIEXEC.EXE Token: SeShutdownPrivilege 3748 MSIEXEC.EXE Token: SeDebugPrivilege 3748 MSIEXEC.EXE Token: SeAuditPrivilege 3748 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3748 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3748 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3748 MSIEXEC.EXE Token: SeUndockPrivilege 3748 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3748 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3748 MSIEXEC.EXE Token: SeManageVolumePrivilege 3748 MSIEXEC.EXE Token: SeImpersonatePrivilege 3748 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3748 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3748 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 976 wrote to memory of 1436 976 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 89 PID 976 wrote to memory of 1436 976 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 89 PID 976 wrote to memory of 1436 976 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 89 PID 1436 wrote to memory of 3748 1436 setup.exe 92 PID 1436 wrote to memory of 3748 1436 setup.exe 92 PID 1436 wrote to memory of 3748 1436 setup.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe"C:\Users\Admin\AppData\Local\Temp\34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msrdpcli.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3748
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD510d0937f0034d610f5ceaec5423597dc
SHA14202c6f7aaa76c2e7e3c45e649097d38a28f2b02
SHA256ab79c60cab3866812bb67d0b0116e0af4b6a6e7b673bd7572df563d5a961d632
SHA51258505fa2896828090c068ea7328610c6e733ae0fb94c1f79631c1afcdf5c7f52131d98a3c4b62ee087ea5d9c6a9977afb756e179cb9abe02d61a9a81dec37f24
-
Filesize
751KB
MD513fb585d7981d700fba8fb61c3584a72
SHA1b6136fbe483351a887e5fff0671ff184fa4543ee
SHA256792d59d9a0706193b291b4bab0e2ac9da12603062f67568228d381622367710b
SHA512269a7a3917fbf55e090311e4422ad8735358e1516adb5622ad1793e9bbc68679cd09945037cf09be8410f140d6c833e392e29c44817e17420d0dff3222a06acd
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0