Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f4dff7c3f155ecf672fcc5258001a5e.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f4dff7c3f155ecf672fcc5258001a5e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
1f4dff7c3f155ecf672fcc5258001a5e.exe
-
Size
72KB
-
MD5
1f4dff7c3f155ecf672fcc5258001a5e
-
SHA1
28f33ba3ff471cd4979b66049096b3f26034599d
-
SHA256
8e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790
-
SHA512
805196d794c37e4f89e35828defce05e42fa30906df64f4d96335668c4dbaac3383e8fab66481c01a677ff0cab37f06731bb842178a1f03090a6bd54bd4b2174
-
SSDEEP
1536:73i6EBXlLOUp5/HNi/SZKWcb+sp9NLMXy3i6EP:0LOUp5/HNi/SQ5Csp9NLa
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 1f4dff7c3f155ecf672fcc5258001a5e.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Executes dropped EXE 5 IoCs
pid Process 1220 Admin.exe 4908 Admin.exe 3772 Admin.exe 4604 Admin.exe 4848 Admin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system3 = "C:\\Users\\Public\\Documents\\Admin.exe" 1f4dff7c3f155ecf672fcc5258001a5e.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system5 = "C:\\ProgramData\\Admin.exe" 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\Q: Admin.exe File opened (read-only) \??\R: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\N: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\V: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\I: Admin.exe File opened (read-only) \??\P: Admin.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\T: Admin.exe File opened (read-only) \??\V: Admin.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\I: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\I: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\P: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\T: Admin.exe File opened (read-only) \??\J: Admin.exe File opened (read-only) \??\R: Admin.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\H: Admin.exe File opened (read-only) \??\O: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\E: Admin.exe File opened (read-only) \??\S: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\L: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\J: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\T: Admin.exe File opened (read-only) \??\H: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\J: Admin.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\A: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\T: Admin.exe File opened (read-only) \??\J: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\V: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\B: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\K: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\G: Admin.exe File opened (read-only) \??\Q: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\L: Admin.exe File opened (read-only) \??\R: Admin.exe File opened (read-only) \??\E: Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 1220 Admin.exe 4908 Admin.exe 3772 Admin.exe 4848 Admin.exe 4604 Admin.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 1220 Admin.exe 4908 Admin.exe 3772 Admin.exe 4604 Admin.exe 4848 Admin.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4148 wrote to memory of 1220 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 91 PID 4148 wrote to memory of 1220 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 91 PID 4148 wrote to memory of 1220 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 91 PID 4148 wrote to memory of 4908 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 92 PID 4148 wrote to memory of 4908 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 92 PID 4148 wrote to memory of 4908 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 92 PID 4148 wrote to memory of 3772 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 93 PID 4148 wrote to memory of 3772 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 93 PID 4148 wrote to memory of 3772 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 93 PID 4148 wrote to memory of 4604 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 94 PID 4148 wrote to memory of 4604 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 94 PID 4148 wrote to memory of 4604 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 94 PID 4148 wrote to memory of 4848 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 95 PID 4148 wrote to memory of 4848 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 95 PID 4148 wrote to memory of 4848 4148 1f4dff7c3f155ecf672fcc5258001a5e.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4dff7c3f155ecf672fcc5258001a5e.exe"C:\Users\Admin\AppData\Local\Temp\1f4dff7c3f155ecf672fcc5258001a5e.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4908
-
-
C:\Users\Public\Documents\Admin.exe"C:\Users\Public\Documents\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Admin.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4604
-
-
C:\ProgramData\Admin.exe"C:\ProgramData\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4848
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD51f4dff7c3f155ecf672fcc5258001a5e
SHA128f33ba3ff471cd4979b66049096b3f26034599d
SHA2568e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790
SHA512805196d794c37e4f89e35828defce05e42fa30906df64f4d96335668c4dbaac3383e8fab66481c01a677ff0cab37f06731bb842178a1f03090a6bd54bd4b2174