Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
06f86a1f619231fad1708e9422c08f14.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
06f86a1f619231fad1708e9422c08f14.exe
Resource
win10v2004-20231215-en
General
-
Target
06f86a1f619231fad1708e9422c08f14.exe
-
Size
93KB
-
MD5
06f86a1f619231fad1708e9422c08f14
-
SHA1
a2e8fd1f8b51b624d94ea36e15d2bc8766b677af
-
SHA256
2f16b2a5a282fcf985cd3f5c63ccaf3942adcd9dce862724ba5d570c41e415ab
-
SHA512
50063d3403edad0d088e347b563b02d6a0421dd6ba29c7c123e1212a5a2584e5a9f34bce0ac8d2cb7199c165c2b76d68523d6754f044a9203bf2f9b16436ccf4
-
SSDEEP
1536:uwH8uLlr3QF/GTqg8HLhobQLAfm5b8HLljs2mwEhstzWrY1:HPLlr39Og8HlKQLAfMmLljJmwEixWrq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2364 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 gelet.exe -
Loads dropped DLL 2 IoCs
pid Process 2184 06f86a1f619231fad1708e9422c08f14.exe 2184 06f86a1f619231fad1708e9422c08f14.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4E8F31F7-F244-FC7E-34DB-BDE4BDB76D75} = "C:\\Users\\Admin\\AppData\\Roaming\\Lyuls\\gelet.exe" gelet.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2184 set thread context of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy 06f86a1f619231fad1708e9422c08f14.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 06f86a1f619231fad1708e9422c08f14.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe 2776 gelet.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2184 06f86a1f619231fad1708e9422c08f14.exe Token: SeSecurityPrivilege 2184 06f86a1f619231fad1708e9422c08f14.exe Token: SeSecurityPrivilege 2184 06f86a1f619231fad1708e9422c08f14.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2776 2184 06f86a1f619231fad1708e9422c08f14.exe 28 PID 2184 wrote to memory of 2776 2184 06f86a1f619231fad1708e9422c08f14.exe 28 PID 2184 wrote to memory of 2776 2184 06f86a1f619231fad1708e9422c08f14.exe 28 PID 2184 wrote to memory of 2776 2184 06f86a1f619231fad1708e9422c08f14.exe 28 PID 2776 wrote to memory of 1088 2776 gelet.exe 13 PID 2776 wrote to memory of 1088 2776 gelet.exe 13 PID 2776 wrote to memory of 1088 2776 gelet.exe 13 PID 2776 wrote to memory of 1088 2776 gelet.exe 13 PID 2776 wrote to memory of 1088 2776 gelet.exe 13 PID 2776 wrote to memory of 1176 2776 gelet.exe 12 PID 2776 wrote to memory of 1176 2776 gelet.exe 12 PID 2776 wrote to memory of 1176 2776 gelet.exe 12 PID 2776 wrote to memory of 1176 2776 gelet.exe 12 PID 2776 wrote to memory of 1176 2776 gelet.exe 12 PID 2776 wrote to memory of 1208 2776 gelet.exe 11 PID 2776 wrote to memory of 1208 2776 gelet.exe 11 PID 2776 wrote to memory of 1208 2776 gelet.exe 11 PID 2776 wrote to memory of 1208 2776 gelet.exe 11 PID 2776 wrote to memory of 1208 2776 gelet.exe 11 PID 2776 wrote to memory of 2156 2776 gelet.exe 9 PID 2776 wrote to memory of 2156 2776 gelet.exe 9 PID 2776 wrote to memory of 2156 2776 gelet.exe 9 PID 2776 wrote to memory of 2156 2776 gelet.exe 9 PID 2776 wrote to memory of 2156 2776 gelet.exe 9 PID 2776 wrote to memory of 2184 2776 gelet.exe 20 PID 2776 wrote to memory of 2184 2776 gelet.exe 20 PID 2776 wrote to memory of 2184 2776 gelet.exe 20 PID 2776 wrote to memory of 2184 2776 gelet.exe 20 PID 2776 wrote to memory of 2184 2776 gelet.exe 20 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2184 wrote to memory of 2364 2184 06f86a1f619231fad1708e9422c08f14.exe 30 PID 2776 wrote to memory of 1948 2776 gelet.exe 31 PID 2776 wrote to memory of 1948 2776 gelet.exe 31 PID 2776 wrote to memory of 1948 2776 gelet.exe 31 PID 2776 wrote to memory of 1948 2776 gelet.exe 31 PID 2776 wrote to memory of 1948 2776 gelet.exe 31
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\06f86a1f619231fad1708e9422c08f14.exe"C:\Users\Admin\AppData\Local\Temp\06f86a1f619231fad1708e9422c08f14.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\Lyuls\gelet.exe"C:\Users\Admin\AppData\Roaming\Lyuls\gelet.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp22f1fd9c.bat"3⤵
- Deletes itself
PID:2364
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD59045819fb6246ca7572d83bcac3e2928
SHA158d87029d882ea77b871a5992b43a3a5bdf7b970
SHA256ef3a4c42f3bda2f503b5784afa54d93ecac53fd12ce9fce0f026a0f56a3adf25
SHA512f7dc698e8ea1cb172b0c575f0b50afa39c3da6b306817118e836edbd20e5066f0a8f0ea7f60a63d041ff0b2af5825ecf5482f5ac4f3a92d1511c5b0ceb6d7a17
-
Filesize
366B
MD5afa768a70f82121e26a345decac6c63f
SHA14edef8a57f40d47396e166ae0a2561edd3ab7af0
SHA256d6dd60a3d94f7db742b972f7ab0c25785ce07e8e2668d164c42c672ea0829697
SHA512014e5350ce92a3668c15f67c73e2fb4e9c4f212c189efc4aeee1cd244d2d0a8672df1c74429eb6d0581ebc810dc007d83dc230a87157b51ef547d34cbdc7ce48
-
Filesize
93KB
MD526a2f6edf661df78c0759442a2cb8113
SHA14083219d329500c6f4a65767dcc3b796dcd56464
SHA25603db03742dcdab6ce6a5c43266d0ae77fabe8ede4dc3a347a5710505abc95832
SHA51269b1fa6a5b78d5fcbb9fd3f2ac66f2fe2fb67ae297e8854d790d45d76df53acc2dcb43738dc0d7e566c05e0590044aca1a924a99836dfbf360caa23adcd0f212