Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
Photo01 By gpj.scr
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Photo01 By gpj.scr
Resource
win10v2004-20231222-en
General
-
Target
Photo01 By gpj.scr
-
Size
547KB
-
MD5
dc5e556beac206f025de1c9f92d2e39b
-
SHA1
c0820fed333a9bb3c800950e5d3f46b0ade731e0
-
SHA256
560e31e0a9b21391f252a3096e2e0e495eb7c33a7548de1d71dea1a334536aee
-
SHA512
4f34c33157fa78e7d068480962ad30116673a62fff7591b95d245e3cdc56e218cb6c8cc63ad1930d555a033ce810ba929c9040ebcc7df61099f673fbb8e6b621
-
SSDEEP
12288:oXTxe8fUp6qreT2A+FY0u7qMg+RIGjFGKOyeRJatK:xpVLqg+KW5b3tK
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Updbsp01.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Updbsp01.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Photo01 By gpj.scr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2348 set thread context of 1532 2348 Photo01 By gpj.scr 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings Photo01 By gpj.scr -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4796 reg.exe 1480 reg.exe 4664 reg.exe 3980 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2348 Photo01 By gpj.scr Token: 1 1532 Photo01 By gpj.scr Token: SeCreateTokenPrivilege 1532 Photo01 By gpj.scr Token: SeAssignPrimaryTokenPrivilege 1532 Photo01 By gpj.scr Token: SeLockMemoryPrivilege 1532 Photo01 By gpj.scr Token: SeIncreaseQuotaPrivilege 1532 Photo01 By gpj.scr Token: SeMachineAccountPrivilege 1532 Photo01 By gpj.scr Token: SeTcbPrivilege 1532 Photo01 By gpj.scr Token: SeSecurityPrivilege 1532 Photo01 By gpj.scr Token: SeTakeOwnershipPrivilege 1532 Photo01 By gpj.scr Token: SeLoadDriverPrivilege 1532 Photo01 By gpj.scr Token: SeSystemProfilePrivilege 1532 Photo01 By gpj.scr Token: SeSystemtimePrivilege 1532 Photo01 By gpj.scr Token: SeProfSingleProcessPrivilege 1532 Photo01 By gpj.scr Token: SeIncBasePriorityPrivilege 1532 Photo01 By gpj.scr Token: SeCreatePagefilePrivilege 1532 Photo01 By gpj.scr Token: SeCreatePermanentPrivilege 1532 Photo01 By gpj.scr Token: SeBackupPrivilege 1532 Photo01 By gpj.scr Token: SeRestorePrivilege 1532 Photo01 By gpj.scr Token: SeShutdownPrivilege 1532 Photo01 By gpj.scr Token: SeDebugPrivilege 1532 Photo01 By gpj.scr Token: SeAuditPrivilege 1532 Photo01 By gpj.scr Token: SeSystemEnvironmentPrivilege 1532 Photo01 By gpj.scr Token: SeChangeNotifyPrivilege 1532 Photo01 By gpj.scr Token: SeRemoteShutdownPrivilege 1532 Photo01 By gpj.scr Token: SeUndockPrivilege 1532 Photo01 By gpj.scr Token: SeSyncAgentPrivilege 1532 Photo01 By gpj.scr Token: SeEnableDelegationPrivilege 1532 Photo01 By gpj.scr Token: SeManageVolumePrivilege 1532 Photo01 By gpj.scr Token: SeImpersonatePrivilege 1532 Photo01 By gpj.scr Token: SeCreateGlobalPrivilege 1532 Photo01 By gpj.scr Token: 31 1532 Photo01 By gpj.scr Token: 32 1532 Photo01 By gpj.scr Token: 33 1532 Photo01 By gpj.scr Token: 34 1532 Photo01 By gpj.scr Token: 35 1532 Photo01 By gpj.scr -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr 1532 Photo01 By gpj.scr -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 2348 wrote to memory of 1532 2348 Photo01 By gpj.scr 91 PID 1532 wrote to memory of 1380 1532 Photo01 By gpj.scr 100 PID 1532 wrote to memory of 1380 1532 Photo01 By gpj.scr 100 PID 1532 wrote to memory of 1380 1532 Photo01 By gpj.scr 100 PID 1532 wrote to memory of 2396 1532 Photo01 By gpj.scr 99 PID 1532 wrote to memory of 2396 1532 Photo01 By gpj.scr 99 PID 1532 wrote to memory of 2396 1532 Photo01 By gpj.scr 99 PID 1532 wrote to memory of 3208 1532 Photo01 By gpj.scr 98 PID 1532 wrote to memory of 3208 1532 Photo01 By gpj.scr 98 PID 1532 wrote to memory of 3208 1532 Photo01 By gpj.scr 98 PID 1532 wrote to memory of 904 1532 Photo01 By gpj.scr 96 PID 1532 wrote to memory of 904 1532 Photo01 By gpj.scr 96 PID 1532 wrote to memory of 904 1532 Photo01 By gpj.scr 96 PID 1380 wrote to memory of 4796 1380 cmd.exe 97 PID 1380 wrote to memory of 4796 1380 cmd.exe 97 PID 1380 wrote to memory of 4796 1380 cmd.exe 97 PID 2396 wrote to memory of 1480 2396 cmd.exe 101 PID 2396 wrote to memory of 1480 2396 cmd.exe 101 PID 2396 wrote to memory of 1480 2396 cmd.exe 101 PID 3208 wrote to memory of 4664 3208 cmd.exe 102 PID 3208 wrote to memory of 4664 3208 cmd.exe 102 PID 3208 wrote to memory of 4664 3208 cmd.exe 102 PID 904 wrote to memory of 3980 904 cmd.exe 104 PID 904 wrote to memory of 3980 904 cmd.exe 104 PID 904 wrote to memory of 3980 904 cmd.exe 104 PID 2348 wrote to memory of 1924 2348 Photo01 By gpj.scr 103 PID 2348 wrote to memory of 1924 2348 Photo01 By gpj.scr 103 PID 2348 wrote to memory of 1924 2348 Photo01 By gpj.scr 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Photo01 By gpj.scr"C:\Users\Admin\AppData\Local\Temp\Photo01 By gpj.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\Photo01 By gpj.scr"C:\Users\Admin\AppData\Local\Temp\Photo01 By gpj.scr"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Updbsp01.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Updbsp01.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Updbsp01.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Updbsp01.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1380
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YICsc.vbs"2⤵PID:1924
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399B
MD5ce01be7699a958d0bc7ed4d3207b49d7
SHA1006dd08cb31da33ab0f54baa30f8d28e34dd83de
SHA2560c9b78079d5172366b8806bffcb293a7b42bf83850148e5509ebe566e01e585a
SHA5127a0d92283cb9317bf99e14df7d8ae0eaa17af007177a231f974c95a924f67d2cd40600ffd051ef55eb6258720ebb8500b56e482d8e512b128eb184f2d0490c08