Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
11/12/2023, 02:26
Behavioral task
behavioral1
Sample
Empresa CE Support.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Empresa CE Support.exe
Resource
win10v2004-20231127-en
General
-
Target
Empresa CE Support.exe
-
Size
3.8MB
-
MD5
7c951e0b54b91d3f847d9f368f385512
-
SHA1
d3d2ecd1e4534922453db61fc594a2004c8be4c2
-
SHA256
ea9803c5fc03ed3aa0ee5f888a76396e5651ab52aee81493fed76fc6eeb894b2
-
SHA512
9a72a0ecafa5cc05f7ce674bfafde91f0e81f0754fd4f981ad352916926a560e07334a663bbfdfc1c7794d83433f8b1a9f0c322bb6f230140749694d84b69829
-
SSDEEP
49152:AvdRiSnf0Ts4Nt+9EMtYOWS0bZCGPsBiAa37INDDCLKbxj3jhE0kcVz+e3Zpzx1J:ai8f4s4itYO1d9iAa37INDDhlElcVFFJ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 480 Process not Found 3044 nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe -
resource yara_rule behavioral1/memory/2208-6-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-0-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/3044-19-0x000000013F0D0000-0x000000014096C000-memory.dmp upx behavioral1/files/0x00080000000147f7-14.dat upx behavioral1/files/0x00080000000147f7-8.dat upx behavioral1/files/0x00080000000147f7-7.dat upx behavioral1/memory/2400-22-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2400-33-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-35-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-36-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-37-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-38-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-40-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-41-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-44-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-45-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-46-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-47-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-48-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-49-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-51-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-52-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-53-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-54-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-55-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-56-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-57-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-58-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-59-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-60-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-61-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-62-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-64-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-65-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-66-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2996-67-0x000000013F960000-0x00000001411FC000-memory.dmp upx behavioral1/memory/2208-68-0x000000013F960000-0x00000001411FC000-memory.dmp upx -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Empresa CE Support.exe Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main Empresa CE Support.exe Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Empresa CE Support.exe Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Empresa CE Support.exe = "11001" Empresa CE Support.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Empresa CE Support.exe = "11001" Empresa CE Support.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2400 Empresa CE Support.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2996 Empresa CE Support.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2208 Empresa CE Support.exe 2208 Empresa CE Support.exe 2208 Empresa CE Support.exe 2208 Empresa CE Support.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2208 Empresa CE Support.exe 2208 Empresa CE Support.exe 2208 Empresa CE Support.exe 2208 Empresa CE Support.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2208 2996 Empresa CE Support.exe 19 PID 2996 wrote to memory of 2208 2996 Empresa CE Support.exe 19 PID 2996 wrote to memory of 2208 2996 Empresa CE Support.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe"C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe"C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe" -gpipe \\.\pipe\PCommand97Empresa^CE^Support -gui2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe"C:\Users\Admin\AppData\Local\Temp\Empresa CE Support.exe" -cpipe \\.\pipe\PCommand96Empresa^CE^Support -child2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe"C:\ProgramData\Getscreen.me\nboodcfvpmxmuldkjykyhrcelgqwcep-elevate.exe" -elevate \\.\pipe\elevateGS512nboodcfvpmxmuldkjykyhrcelgqwcep1⤵
- Executes dropped EXE
PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
685B
MD56afcf341d501dfdf47a91ee85b0aba35
SHA19429977eef65f8832bdbb275d93e043ed24289b4
SHA2562fbb14fd098f38d807fd134ec8025cfbac26d7f3cd6e13ecfbde607cb3ce22b0
SHA51263668c99f483399cb019a510f7297cc0fceea7b4ec690d78c6a0165a3011e21c76f667e625d32be2b9f4c288d8bce8fab860bc6f8198a2d988ff44e1f803f1b0
-
Filesize
91KB
MD517ce9d3985addc074230b3e498abdaf5
SHA16426f249b0812f76839aaeb59e27d03a279802ea
SHA256105dfc26456a1d1cc7113e28824a3217cbed45ad1c00ed4c6bbfa8d79c3287f3
SHA512384d3b3afcfa3a1f0e9f12db46e0a6baaac85635ef7d0f86cf6914829d766e66eb42744a17fe0a7f35ad12000fa1b53c06b6da205951d5da151fde04bb1a87ab
-
Filesize
386KB
MD5bdd0b75d7bc5bdaa23ac1acb87827930
SHA1d0abb3b4ea2b0d66b7ab65bd621992d16717dc19
SHA256a4dc7f16f59af4533937237e78503ae26cd4ee62cc46c9d84f434d0983c8edc6
SHA512d86811948a3bcd2f10296f1738315e36a62a51b202ca4286ff61d8559bdad61b703c640ba60ab65d3ff4b819d61ee15aa0e6dbc3c9980a506a19a61e907cde43
-
Filesize
407KB
MD52b15c3fae41f1e81204b17882805a3fe
SHA1155531cac8e5d8e9d6da08d0a061a6b3f2053975
SHA256993537577469ee62618105662dc4cf112bb3ba1a36eeed2879f5e822638801ab
SHA512d2ac2b71dbccdffadf5a6d8fbd59a9950d76ba1fb544d61433a309d76ec81c6fd5452539fc69b04737d33e54602f20496e442b40eb5aef0c6cd163138d5e7282