Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
8533ca3518ee06d6219f7eaa43a2cbb8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8533ca3518ee06d6219f7eaa43a2cbb8.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
8533ca3518ee06d6219f7eaa43a2cbb8.exe
-
Size
79KB
-
MD5
8533ca3518ee06d6219f7eaa43a2cbb8
-
SHA1
b9a231ca235c7eb57d9a6e0a3d47680d291cf355
-
SHA256
8ba7d0adb180615be8923a26b3c3259201a73f0cb70b62f38c2d43445c2e8307
-
SHA512
8fb61a514df985b1eb4b5e6960782d2adb763079c61a71efd6a8eeea8a7fe6332f90b392bee3a6a5ebe7a9a2f74349b3b7146131546f40971a1bb1e16aa3a887
-
SSDEEP
1536:C+T052SRYaNRyGVxxsErecOUGKqPamrzHk:OYCTfskecOJvPrE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4908 sys3.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 8533ca3518ee06d6219f7eaa43a2cbb8.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4908 sys3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3628 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1808 wrote to memory of 4908 1808 8533ca3518ee06d6219f7eaa43a2cbb8.exe 87 PID 1808 wrote to memory of 4908 1808 8533ca3518ee06d6219f7eaa43a2cbb8.exe 87 PID 1808 wrote to memory of 4908 1808 8533ca3518ee06d6219f7eaa43a2cbb8.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8533ca3518ee06d6219f7eaa43a2cbb8.exe"C:\Users\Admin\AppData\Local\Temp\8533ca3518ee06d6219f7eaa43a2cbb8.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD58533ca3518ee06d6219f7eaa43a2cbb8
SHA1b9a231ca235c7eb57d9a6e0a3d47680d291cf355
SHA2568ba7d0adb180615be8923a26b3c3259201a73f0cb70b62f38c2d43445c2e8307
SHA5128fb61a514df985b1eb4b5e6960782d2adb763079c61a71efd6a8eeea8a7fe6332f90b392bee3a6a5ebe7a9a2f74349b3b7146131546f40971a1bb1e16aa3a887
-
Filesize
70B
MD5753fcf709e1bfcb4720e2d7ed2d0a42a
SHA1726baebda65bb15047cf503e063859d410b9983e
SHA256e40bf7b8c631bc02888a610b1c92bb6bbd4230f7989a657048cd8ff012afda79
SHA5128c853348a5037713fe550dd2e0a69a42059af8516db9f60055df69e71512881a06dc49b01a3527ab52ab9da18841ab4d15708af4468813133ed7e9b9f4961c8b