Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 10:44
Behavioral task
behavioral1
Sample
2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe
Resource
win10v2004-20231020-en
General
-
Target
2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe
-
Size
223KB
-
MD5
7356e94a91d2550864e9af87417408ce
-
SHA1
1fa54bb4f5c256be4bd086f74e3acb41142f7e27
-
SHA256
2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2
-
SHA512
7d709d7e29bb71d07a8298424445be7552a75bbd14e1fdcc4da59de0d3b2621ea43b8457f2515189e55ee0ed80d17271abf78c70e5c3b857831d3515dd0324d4
-
SSDEEP
6144:RwPSUONLNsuWA7koN+boRhZ2VUUaSaE0A6Xvd2:ROuW5o/oVU1r5w
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3356 created 636 3356 Explorer.EXE 5 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\tYVMJNfK.sys services.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe -
Executes dropped EXE 1 IoCs
pid Process 1716 services.exe -
resource yara_rule behavioral2/memory/1324-0-0x0000000000680000-0x00000000006EE000-memory.dmp upx behavioral2/memory/1324-39-0x0000000000680000-0x00000000006EE000-memory.dmp upx behavioral2/files/0x0006000000022e15-74.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 services.exe File created C:\Windows\system32\ \Windows\System32\pYp8hY1C.sys services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 services.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 services.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\KEyQkUy.sys services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 services.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName services.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2204 timeout.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" services.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" services.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" services.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing services.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" services.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix services.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ services.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" services.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" services.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 3356 Explorer.EXE 3356 Explorer.EXE 3356 Explorer.EXE 3356 Explorer.EXE 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe 1716 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3356 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 672 Process not Found 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe Token: SeTcbPrivilege 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe Token: SeDebugPrivilege 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe Token: SeDebugPrivilege 3356 Explorer.EXE Token: SeDebugPrivilege 3356 Explorer.EXE Token: SeDebugPrivilege 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe Token: SeDebugPrivilege 1716 services.exe Token: SeDebugPrivilege 1716 services.exe Token: SeDebugPrivilege 1716 services.exe Token: SeIncBasePriorityPrivilege 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe Token: SeShutdownPrivilege 3356 Explorer.EXE Token: SeCreatePagefilePrivilege 3356 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3356 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1324 wrote to memory of 3356 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 54 PID 1324 wrote to memory of 3356 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 54 PID 1324 wrote to memory of 3356 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 54 PID 1324 wrote to memory of 3356 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 54 PID 1324 wrote to memory of 3356 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 54 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 3356 wrote to memory of 1716 3356 Explorer.EXE 92 PID 1324 wrote to memory of 636 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 5 PID 1324 wrote to memory of 636 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 5 PID 1324 wrote to memory of 636 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 5 PID 1324 wrote to memory of 636 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 5 PID 1324 wrote to memory of 636 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 5 PID 1324 wrote to memory of 576 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 100 PID 1324 wrote to memory of 576 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 100 PID 1324 wrote to memory of 576 1324 2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe 100 PID 576 wrote to memory of 2204 576 cmd.exe 102 PID 576 wrote to memory of 2204 576 cmd.exe 102 PID 576 wrote to memory of 2204 576 cmd.exe 102
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\ProgramData\services.exe"C:\ProgramData\services.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:2204
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
698KB
MD5d8e577bf078c45954f4531885478d5a9
SHA1d7a213f3cfee2a8a191769eb33847953be51de54
SHA256dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674
SHA512d7ef417fe68d44ed5a10eeca6075010c3940d5d6568086762d7c3f7ec55793d1ccaea7e6ac2675a3330a26b39c53c4be04241ffd23ba80b88112de10a01925e9
-
Filesize
698KB
MD5d8e577bf078c45954f4531885478d5a9
SHA1d7a213f3cfee2a8a191769eb33847953be51de54
SHA256dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674
SHA512d7ef417fe68d44ed5a10eeca6075010c3940d5d6568086762d7c3f7ec55793d1ccaea7e6ac2675a3330a26b39c53c4be04241ffd23ba80b88112de10a01925e9
-
Filesize
14.1MB
MD5a7ef23896bd75e4cf69595d10cac31ac
SHA16882cc47f35317decd34213a550473c6aa83a908
SHA2563148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c
SHA5121f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c