Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
1f8187292660e4ab4a567f917ed5fee8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1f8187292660e4ab4a567f917ed5fee8.exe
Resource
win10v2004-20231215-en
General
-
Target
1f8187292660e4ab4a567f917ed5fee8.exe
-
Size
5.5MB
-
MD5
1f8187292660e4ab4a567f917ed5fee8
-
SHA1
832442b51532bff1a93b62e8a64509d81ea58294
-
SHA256
067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1
-
SHA512
be84f01f27898e933be08e5cbe75a2cdf976f5dc99876bf67171fb9c94b25863e41a823aef89ca52c3d87694ca4eb065425b1312a64baea78ca70de673a76330
-
SSDEEP
98304:gvSYro+waPiQjmjP028bc0TtJEJNx5DJXMWbD0nLWI9HJn6wz6+Ln7kr+qrRW6Ja:WpUwjmjc28Imk3jsymJn62t3UE6llYn
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89820200-ECBD-11CF-8B85-00AA005B4340} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89820200-ECBD-11CF-8B85-00AA005B4383} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89B4C1CD-B018-4511-B0A1-5476DBF70820} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8A69D345-D564-463C-AFF1-A69D9E530F96} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Active Setup\Installed Components 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6BF52A52-394A-11D3-B153-00C04F79FAA6} 1f8187292660e4ab4a567f917ed5fee8.tmp -
Executes dropped EXE 1 IoCs
pid Process 4980 1f8187292660e4ab4a567f917ed5fee8.tmp -
Loads dropped DLL 2 IoCs
pid Process 4980 1f8187292660e4ab4a567f917ed5fee8.tmp 4980 1f8187292660e4ab4a567f917ed5fee8.tmp -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4664 powershell.exe 4664 powershell.exe 4664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4664 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3076 wrote to memory of 4980 3076 1f8187292660e4ab4a567f917ed5fee8.exe 90 PID 3076 wrote to memory of 4980 3076 1f8187292660e4ab4a567f917ed5fee8.exe 90 PID 3076 wrote to memory of 4980 3076 1f8187292660e4ab4a567f917ed5fee8.exe 90 PID 4980 wrote to memory of 5076 4980 1f8187292660e4ab4a567f917ed5fee8.tmp 95 PID 4980 wrote to memory of 5076 4980 1f8187292660e4ab4a567f917ed5fee8.tmp 95 PID 4980 wrote to memory of 5076 4980 1f8187292660e4ab4a567f917ed5fee8.tmp 95 PID 5076 wrote to memory of 4664 5076 cmd.exe 97 PID 5076 wrote to memory of 4664 5076 cmd.exe 97 PID 5076 wrote to memory of 4664 5076 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\is-GMQMH.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp"C:\Users\Admin\AppData\Local\Temp\is-GMQMH.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp" /SL5="$11006A,5495633,56832,C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-DFR5P.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD563535b5c3c87f0aee85a2aa05a288f8f
SHA1a614a06b8d4a1b7ca823ba0296b6a0cd23196bd1
SHA25601bdde5ada766b11a07fd82bb8e8f3d5cb8c3d51db4546dee045cef6a6469630
SHA5122d764d8f2c45f27329ee268b80cd275835ef4e5e0c264c23186fad8323164db7ac319c3a9c62693f5b6ee61a1982cee6730d4c68ff08974b45974685e6075553
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
Filesize
693KB
MD5160db79a135d5f5eb6e5f504ed4c38c9
SHA18ded92aa5a701cbea1b3d0ba64bce647bf89f008
SHA256f6520eeff2df974d976fc2c7237536b69d238b5e462927565d539faf3a6fd82c
SHA5126f1c9238de82db7596a9ac9052613c08c3a30af8b7e1a869333da7ca221ea5393a86088de4394ae408a9e2d4a792ad688f21df97066067195a2427d581642ebe
-
Filesize
305KB
MD54fa60e8a7a4dd42b07939ab72b39fe37
SHA1f237094146fffddb8a1f6bf015f8bbf44f5af018
SHA256f8a9bbbf61782f700ecf398510a07fc6c9df6fdde9c73602abc041c878990770
SHA5121e091e6b336d24799b15228766ec744d0c9b742b058886156e8f8aff2d79248ce36827ff4d57ed50e3475f8c61f98886f8473f36240f81988374a3f04cbe11d1