Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 04:43
Behavioral task
behavioral1
Sample
gry.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
gry.exe
Resource
win10v2004-20231025-en
General
-
Target
gry.exe
-
Size
989KB
-
MD5
8a5311cd91c99c7c9e3c4074bad2ce24
-
SHA1
bcd16d0fa152ba6c949d71c449fb7f04499ed974
-
SHA256
e9e2ed140683ba8f499d3c79cc0737f6ef8533867749c0bd6a78fd61c2d4d7f7
-
SHA512
1ac7ed75b3f250d6e2c8e35b006066a0cb7abe7d3dfec476139aefd0ee8fd06a20fc52efb794266bc9973d74366f10f8d05bf10fd852af77748292fa54802bb7
-
SSDEEP
12288:nXe9PPlowWX0t6mOQwg1Qd15CcYk0We1RS+S1M9UYOIRIpk+TrJX8lSHxxssefa:OhloDX0XOf47W1o6RR6Va
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AFTCJY.lnk gry.exe -
Executes dropped EXE 2 IoCs
pid Process 1464 Microsoft-Office-2013-Word.exe 2808 Microsoft-Office-2013-Word.exe -
resource yara_rule behavioral2/memory/3060-0-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-7-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-8-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-9-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-10-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/files/0x0007000000022def-11.dat upx behavioral2/memory/1464-12-0x0000000000EC0000-0x00000000010DE000-memory.dmp upx behavioral2/files/0x0007000000022def-13.dat upx behavioral2/memory/1464-14-0x0000000000EC0000-0x00000000010DE000-memory.dmp upx behavioral2/memory/3060-15-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-17-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-18-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-19-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-20-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-21-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/files/0x0007000000022def-22.dat upx behavioral2/memory/2808-23-0x0000000000EC0000-0x00000000010DE000-memory.dmp upx behavioral2/memory/2808-24-0x0000000000EC0000-0x00000000010DE000-memory.dmp upx behavioral2/memory/3060-25-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-26-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-27-0x00000000006A0000-0x00000000008BE000-memory.dmp upx behavioral2/memory/3060-28-0x00000000006A0000-0x00000000008BE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AFTCJY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft-Office-2013-Word.exe\"" gry.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3060-7-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-8-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-9-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-10-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/1464-14-0x0000000000EC0000-0x00000000010DE000-memory.dmp autoit_exe behavioral2/memory/3060-15-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-17-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-18-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-19-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-20-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-21-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/2808-24-0x0000000000EC0000-0x00000000010DE000-memory.dmp autoit_exe behavioral2/memory/3060-25-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-26-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-27-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe behavioral2/memory/3060-28-0x00000000006A0000-0x00000000008BE000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1280 schtasks.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 gry.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe 3060 gry.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3060 gry.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3060 wrote to memory of 4652 3060 gry.exe 89 PID 3060 wrote to memory of 4652 3060 gry.exe 89 PID 3060 wrote to memory of 4652 3060 gry.exe 89 PID 3060 wrote to memory of 4668 3060 gry.exe 91 PID 3060 wrote to memory of 4668 3060 gry.exe 91 PID 3060 wrote to memory of 4668 3060 gry.exe 91 PID 4652 wrote to memory of 1280 4652 cmd.exe 92 PID 4652 wrote to memory of 1280 4652 cmd.exe 92 PID 4652 wrote to memory of 1280 4652 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\gry.exe"C:\Users\Admin\AppData\Local\Temp\gry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn AFTCJY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft-Office-2013-Word.exe /sc minute /mo 12⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn AFTCJY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft-Office-2013-Word.exe /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:1280
-
-
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\AFTCJY.vbs2⤵PID:4668
-
-
C:\Users\Admin\AppData\Roaming\Windata\Microsoft-Office-2013-Word.exeC:\Users\Admin\AppData\Roaming\Windata\Microsoft-Office-2013-Word.exe1⤵
- Executes dropped EXE
PID:1464
-
C:\Users\Admin\AppData\Roaming\Windata\Microsoft-Office-2013-Word.exeC:\Users\Admin\AppData\Roaming\Windata\Microsoft-Office-2013-Word.exe1⤵
- Executes dropped EXE
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826B
MD56cbc3144de3e6783d7d4fd39b3214c2b
SHA1d1699b28dd277f448d8e46123a929522a5f4c5fe
SHA256a45e7187a8c4183e8248f71f1bccd6cc88ad902c6a4871d9c486be14b78727a0
SHA512afaa124d1f7dd94a90d26e085d2264e30e4bfad7da04275298801343e35cbaf7d1567fee7f33db2c07568a5a3a85284fa10af9618accd519b8f7c56155e16377
-
Filesize
989KB
MD58a5311cd91c99c7c9e3c4074bad2ce24
SHA1bcd16d0fa152ba6c949d71c449fb7f04499ed974
SHA256e9e2ed140683ba8f499d3c79cc0737f6ef8533867749c0bd6a78fd61c2d4d7f7
SHA5121ac7ed75b3f250d6e2c8e35b006066a0cb7abe7d3dfec476139aefd0ee8fd06a20fc52efb794266bc9973d74366f10f8d05bf10fd852af77748292fa54802bb7
-
Filesize
989KB
MD58a5311cd91c99c7c9e3c4074bad2ce24
SHA1bcd16d0fa152ba6c949d71c449fb7f04499ed974
SHA256e9e2ed140683ba8f499d3c79cc0737f6ef8533867749c0bd6a78fd61c2d4d7f7
SHA5121ac7ed75b3f250d6e2c8e35b006066a0cb7abe7d3dfec476139aefd0ee8fd06a20fc52efb794266bc9973d74366f10f8d05bf10fd852af77748292fa54802bb7
-
Filesize
989KB
MD58a5311cd91c99c7c9e3c4074bad2ce24
SHA1bcd16d0fa152ba6c949d71c449fb7f04499ed974
SHA256e9e2ed140683ba8f499d3c79cc0737f6ef8533867749c0bd6a78fd61c2d4d7f7
SHA5121ac7ed75b3f250d6e2c8e35b006066a0cb7abe7d3dfec476139aefd0ee8fd06a20fc52efb794266bc9973d74366f10f8d05bf10fd852af77748292fa54802bb7