Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
1eb9eea740e4165eb9ae5dcee0d72862.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1eb9eea740e4165eb9ae5dcee0d72862.exe
Resource
win10v2004-20231215-en
General
-
Target
1eb9eea740e4165eb9ae5dcee0d72862.exe
-
Size
1.2MB
-
MD5
1eb9eea740e4165eb9ae5dcee0d72862
-
SHA1
28dae67732b6584ef476b4c2900c40680cedacf6
-
SHA256
38f9dc7d43224d245fa5c1405fb3f624e2659f28655a59fc5737973b84cc282f
-
SHA512
f06301398fdf04fc4a6dad837373ed421343570e87a1080c76545f62409ee5ac4efca60ec4585317a82f0def8f6a8d238985e9dbad37a336667f1d2b53b6cb6b
-
SSDEEP
24576:SAQoDefT6HesrQrSDZhyZ+aan+mMfqZaRfAuYLNH9pRBFZIlPed9775:SAcGHC2ZUZ+umWea+NPpRB/Iped977
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\D3Sept.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D3Sept.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation D3.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation audiadg.exe -
Executes dropped EXE 4 IoCs
pid Process 556 sarkoth.exe 2060 D3.exe 5068 audiadg.exe 4980 bcdprov.exe -
resource yara_rule behavioral2/memory/2112-36-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/2112-40-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/2112-39-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/2112-38-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiadg.exe" audiadg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000f000000023124-7.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2060 set thread context of 2112 2060 D3.exe 117 PID 4980 set thread context of 2728 4980 bcdprov.exe 120 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 4160 reg.exe 5084 reg.exe 1404 reg.exe 1312 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 2060 D3.exe 2060 D3.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe 2060 D3.exe 2060 D3.exe 5068 audiadg.exe 5068 audiadg.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 4284 1eb9eea740e4165eb9ae5dcee0d72862.exe Token: SeDebugPrivilege 2060 D3.exe Token: 1 2112 AppLaunch.exe Token: SeCreateTokenPrivilege 2112 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 2112 AppLaunch.exe Token: SeLockMemoryPrivilege 2112 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 2112 AppLaunch.exe Token: SeMachineAccountPrivilege 2112 AppLaunch.exe Token: SeTcbPrivilege 2112 AppLaunch.exe Token: SeSecurityPrivilege 2112 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2112 AppLaunch.exe Token: SeLoadDriverPrivilege 2112 AppLaunch.exe Token: SeSystemProfilePrivilege 2112 AppLaunch.exe Token: SeSystemtimePrivilege 2112 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2112 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2112 AppLaunch.exe Token: SeCreatePagefilePrivilege 2112 AppLaunch.exe Token: SeCreatePermanentPrivilege 2112 AppLaunch.exe Token: SeBackupPrivilege 2112 AppLaunch.exe Token: SeRestorePrivilege 2112 AppLaunch.exe Token: SeShutdownPrivilege 2112 AppLaunch.exe Token: SeDebugPrivilege 2112 AppLaunch.exe Token: SeAuditPrivilege 2112 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2112 AppLaunch.exe Token: SeChangeNotifyPrivilege 2112 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2112 AppLaunch.exe Token: SeUndockPrivilege 2112 AppLaunch.exe Token: SeSyncAgentPrivilege 2112 AppLaunch.exe Token: SeEnableDelegationPrivilege 2112 AppLaunch.exe Token: SeManageVolumePrivilege 2112 AppLaunch.exe Token: SeImpersonatePrivilege 2112 AppLaunch.exe Token: SeCreateGlobalPrivilege 2112 AppLaunch.exe Token: 31 2112 AppLaunch.exe Token: 32 2112 AppLaunch.exe Token: 33 2112 AppLaunch.exe Token: 34 2112 AppLaunch.exe Token: 35 2112 AppLaunch.exe Token: SeDebugPrivilege 5068 audiadg.exe Token: SeDebugPrivilege 4980 bcdprov.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe 556 sarkoth.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2112 AppLaunch.exe 2112 AppLaunch.exe 2112 AppLaunch.exe 2112 AppLaunch.exe 2728 AppLaunch.exe 2728 AppLaunch.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4284 wrote to memory of 556 4284 Process not Found 25 PID 4284 wrote to memory of 556 4284 Process not Found 25 PID 4284 wrote to memory of 2060 4284 Process not Found 24 PID 4284 wrote to memory of 2060 4284 Process not Found 24 PID 4284 wrote to memory of 2060 4284 Process not Found 24 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2060 wrote to memory of 2112 2060 D3.exe 117 PID 2112 wrote to memory of 3652 2112 AppLaunch.exe 116 PID 2112 wrote to memory of 3652 2112 AppLaunch.exe 116 PID 2112 wrote to memory of 3652 2112 AppLaunch.exe 116 PID 2112 wrote to memory of 1280 2112 AppLaunch.exe 115 PID 2112 wrote to memory of 1280 2112 AppLaunch.exe 115 PID 2112 wrote to memory of 1280 2112 AppLaunch.exe 115 PID 2112 wrote to memory of 4680 2112 AppLaunch.exe 113 PID 2112 wrote to memory of 4680 2112 AppLaunch.exe 113 PID 2112 wrote to memory of 4680 2112 AppLaunch.exe 113 PID 2112 wrote to memory of 2360 2112 AppLaunch.exe 112 PID 2112 wrote to memory of 2360 2112 AppLaunch.exe 112 PID 2112 wrote to memory of 2360 2112 AppLaunch.exe 112 PID 2060 wrote to memory of 5068 2060 D3.exe 104 PID 2060 wrote to memory of 5068 2060 D3.exe 104 PID 2060 wrote to memory of 5068 2060 D3.exe 104 PID 2360 wrote to memory of 1312 2360 cmd.exe 111 PID 2360 wrote to memory of 1312 2360 cmd.exe 111 PID 2360 wrote to memory of 1312 2360 cmd.exe 111 PID 1280 wrote to memory of 4160 1280 cmd.exe 108 PID 1280 wrote to memory of 4160 1280 cmd.exe 108 PID 1280 wrote to memory of 4160 1280 cmd.exe 108 PID 4680 wrote to memory of 1404 4680 cmd.exe 110 PID 4680 wrote to memory of 1404 4680 cmd.exe 110 PID 4680 wrote to memory of 1404 4680 cmd.exe 110 PID 3652 wrote to memory of 5084 3652 cmd.exe 109 PID 3652 wrote to memory of 5084 3652 cmd.exe 109 PID 3652 wrote to memory of 5084 3652 cmd.exe 109 PID 5068 wrote to memory of 4980 5068 audiadg.exe 107 PID 5068 wrote to memory of 4980 5068 audiadg.exe 107 PID 5068 wrote to memory of 4980 5068 audiadg.exe 107 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120 PID 4980 wrote to memory of 2728 4980 bcdprov.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eb9eea740e4165eb9ae5dcee0d72862.exe"C:\Users\Admin\AppData\Local\Temp\1eb9eea740e4165eb9ae5dcee0d72862.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\Software\D3.exe"C:\Users\Admin\AppData\Local\Temp\Software\D3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
-
-
-
C:\Users\Admin\AppData\Local\Temp\Software\sarkoth.exe"C:\Users\Admin\AppData\Local\Temp\Software\sarkoth.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:556
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4160
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f1⤵
- Modifies firewall policy service
- Modifies registry key
PID:5084
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1404
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe:*:Enabled:Windows Messanger" /f1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1312
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe:*:Enabled:Windows Messanger" /f1⤵
- Suspicious use of WriteProcessMemory
PID:2360
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f1⤵
- Suspicious use of WriteProcessMemory
PID:4680
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f1⤵
- Suspicious use of WriteProcessMemory
PID:1280
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f1⤵
- Suspicious use of WriteProcessMemory
PID:3652
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5486fdb3d60c7811dee22742cca9f93dc
SHA1d59ae0af20b78abfd351482cb1c93f62f4cf469f
SHA256eacf7057eff4e24be433c7437053d5dc34b1c32e9373d723281780cbd8144c68
SHA51261f8eaf774678b82a494865f96c799ae1aa2ca00fd5e75b3cc28e4d802cc7343b02a7e44c8bd1d9c31f7b93441f2c5d4793eb4689458f3c81bcd5b2ae28b56f0
-
Filesize
92KB
MD58274897e7accfc20b281eda6072ec1dd
SHA1ee1564c1553beca6340e155c13406dce2686af34
SHA25640d5eb1f8f48efaa8d82488c695d90600f9416ea6e4f7e11e3258e901cc33cc9
SHA512d18324fc852a5ed4f330440f2a3faa9c7caaf408dd070367c058cb6be1b5c55eb31c90b0b7f93d40d26b925bbc02deb089a6580ff6a11ad4d2106c8879b7f2cf
-
Filesize
93KB
MD51c0ccc39fc9e09563d9e4810938a2f7c
SHA182785e28f1cc7149381cf0e67f9deaa3a677d495
SHA25675f446fa2ca1eb9844186ad0133dce278589f7b903539ded5369918632994955
SHA5128118f9008f78b32e49f84e2b7ac83b68b53b48f002814991a716b937a2d02c8283941adb9bd536b536a1fe922c1d6a7df73e8d997b1c65757ae089f085ab3a98
-
Filesize
11KB
MD59b3848f7bd575120a33fb480774b5b6b
SHA19a7ef7a9b4f946f4ddbe2fadb3c52f1fd6991045
SHA256271f73350c0e95d765fe1ccbf4b1fae1f7b62b62a723472a65f562ceab22d791
SHA51202a7364ff655f0a4345b7428f577396a8ec7347f2d8466f4d957b7dd3909baf6b7b403135450b3f142ea275452fbfb418f64f075fba11f808640479d726a73b3