Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe
Resource
win10v2004-20231127-en
General
-
Target
4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe
-
Size
2.4MB
-
MD5
59f79fe64de3c9562ea00c7e41f65d85
-
SHA1
f93f2bec00acde7beb74bd02ff74a164ce7c7b9e
-
SHA256
4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01
-
SHA512
c562e59b5e953b05b21cb95b57f7364834ed155ad12a52dc10faf2da2e69f851c2425b05fb547de4e6098cb6655ff741025c989627b482d22e9127ac52d83100
-
SSDEEP
49152:mrX4ppAYG3aZCwHUA1k3XKL73AxUCQLRWqJ8BaXKL73AxUCQLRWqJ8B:mT4ppAY/Ck+qL73x7sqJIDL73x7sqJI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4788 csrss1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss1.exe" csrss1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4788 set thread context of 1796 4788 csrss1.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 1456 4992 WerFault.exe 98 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ctfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ctfmon.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Toggle ctfmon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\DirectSwitchHotkeys\ ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe 4788 csrss1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4788 csrss1.exe Token: SeDebugPrivilege 4788 csrss1.exe Token: SeManageVolumePrivilege 2756 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3172 4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe 3172 4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe 4788 csrss1.exe 4788 csrss1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3172 wrote to memory of 4788 3172 4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe 86 PID 3172 wrote to memory of 4788 3172 4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe 86 PID 3172 wrote to memory of 4788 3172 4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe 86 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96 PID 4788 wrote to memory of 1796 4788 csrss1.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe"C:\Users\Admin\AppData\Local\Temp\4e71c0eb909b58239ff9a12e3abbed336c126e61ffb24e052ad68b4b6863ee01.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\csrss1.exeC:\Users\Admin\AppData\Local\Temp\csrss1.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe3⤵
- Checks processor information in registry
PID:1796
-
-
-
C:\Windows\SysWOW64\ctfmon.exeC:\Windows\SysWOW64\ctfmon.exe1⤵
- Modifies data under HKEY_USERS
PID:4992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 7602⤵
- Program crash
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4992 -ip 49921⤵PID:4476
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5429b6684526538b3c06f7d9c542a020e
SHA14d0c1fe78b6b023eec55d18d30b3c3a287138128
SHA256007a7815bde982ac0f87bf842f444310955fcc7273798dc7329a75b5ad598ee7
SHA512a83a6228a457fc14ea3c9c9617ecad634be046b5a52a5a40f39e276e48e43630a698f895c103b64a5e4eb20e0b01e61125c0b52a42723de1961767a086dc1ee2
-
Filesize
375KB
MD51a6e00d9a2de724b77dd0c386cf0e08a
SHA1b2523f9ed765c850525e5414f8fb79e1e9fab444
SHA2565bb683bf31a54e202b6f06d3120a3664cf666e54da2d6388beb003ccc1277eaa
SHA5126fc43f2e1ec89c4911117e3a5d003fb30ffb3776afad1c4e9c8c268923fab123a802a3929247f9bcc75b916087d0427db85ab1ace098a666ebb4a9347d697d9d