Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
fe196add855b16dc1b8e80729610a4e0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fe196add855b16dc1b8e80729610a4e0.exe
Resource
win10v2004-20231222-en
General
-
Target
fe196add855b16dc1b8e80729610a4e0.exe
-
Size
3.6MB
-
MD5
fe196add855b16dc1b8e80729610a4e0
-
SHA1
f44efb48cda5958e5603b36d1a59709a847fc0e7
-
SHA256
1545645f6c5ecc9f14ee924de8ad3dea051e24a8fca9b34beedf958cae0c1b90
-
SHA512
78285eb98cefe794720d198509e4ccacfead6546dd0d70594bc137a41c99b6db2d8f5db1a5b674283396165b5fda7a970d34dff376dead59ba67c5e583e2075a
-
SSDEEP
98304:qGk6+Wzyy2Js1c8YlQvtGSpQVYQahXSj68h761:DtZz9msbEbvVY06CQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1664 fe196add855b16dc1b8e80729610a4e0.tmp -
Enumerates processes with tasklist 1 TTPs 21 IoCs
pid Process 1092 tasklist.exe 3784 tasklist.exe 2116 tasklist.exe 1188 tasklist.exe 1668 tasklist.exe 1156 tasklist.exe 3580 tasklist.exe 764 tasklist.exe 1496 tasklist.exe 4316 tasklist.exe 2004 tasklist.exe 1972 tasklist.exe 3372 tasklist.exe 3816 tasklist.exe 1524 tasklist.exe 5088 tasklist.exe 4504 tasklist.exe 1184 tasklist.exe 3176 tasklist.exe 3688 tasklist.exe 2620 tasklist.exe -
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
pid Process 3468 NETSTAT.EXE 4552 NETSTAT.EXE 4264 NETSTAT.EXE 5004 NETSTAT.EXE 2216 NETSTAT.EXE -
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1184 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1184 tasklist.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3472 wrote to memory of 1664 3472 fe196add855b16dc1b8e80729610a4e0.exe 22 PID 3472 wrote to memory of 1664 3472 fe196add855b16dc1b8e80729610a4e0.exe 22 PID 3472 wrote to memory of 1664 3472 fe196add855b16dc1b8e80729610a4e0.exe 22 PID 1664 wrote to memory of 2280 1664 fe196add855b16dc1b8e80729610a4e0.tmp 25 PID 1664 wrote to memory of 2280 1664 fe196add855b16dc1b8e80729610a4e0.tmp 25 PID 1664 wrote to memory of 2280 1664 fe196add855b16dc1b8e80729610a4e0.tmp 25 PID 2280 wrote to memory of 1184 2280 cmd.exe 141 PID 2280 wrote to memory of 1184 2280 cmd.exe 141 PID 2280 wrote to memory of 1184 2280 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe"C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\is-1JQJ6.tmp\fe196add855b16dc1b8e80729610a4e0.tmp"C:\Users\Admin\AppData\Local\Temp\is-1JQJ6.tmp\fe196add855b16dc1b8e80729610a4e0.tmp" /SL5="$80092,3326047,56832,C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-U8IQC.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV4⤵PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:5116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV4⤵PID:2024
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV5⤵
- Enumerates processes with tasklist
PID:1188
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV4⤵PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV4⤵PID:4720
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq regedit.exe" /FO CSV5⤵
- Enumerates processes with tasklist
PID:1972
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"3⤵PID:224
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:728
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5901 "4⤵PID:1524
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
PID:5004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"3⤵PID:2100
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:1700
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5904 "4⤵PID:2604
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV4⤵PID:4072
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-U8IQC.tmp\gentlemjmp_irow.exe"C:\Users\Admin\AppData\Local\Temp\is-U8IQC.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe3⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3140
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"3⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"3⤵PID:688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"3⤵PID:5044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-U8IQC.tmp\cmd.bat""3⤵PID:2620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4648
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3268
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"3⤵PID:3184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:680
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2740
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2328
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3176
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV1⤵PID:3568
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:2004
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3372
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:1496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV1⤵PID:4368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV1⤵PID:3332
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4316
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3816
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:1668
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:1092
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:1524
-
C:\Windows\SysWOW64\find.exefind "PID"1⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV2⤵PID:1456
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:5088
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3784
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4504
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:1156
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:3696
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3580
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV1⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:2116
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:2620
-
C:\Users\Admin\AppData\Local\Temp\is-0CTKC.tmp\gentlemjmp_irow.tmp"C:\Users\Admin\AppData\Local\Temp\is-0CTKC.tmp\gentlemjmp_irow.tmp" /SL5="$270044,2930134,56832,C:\Users\Admin\AppData\Local\Temp\is-U8IQC.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0.exe1⤵PID:3176
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-EN9NV.tmp\ex.bat""2⤵PID:4544
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"1⤵PID:3184
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "WINDOWTITLE eq Process Monitor*"2⤵
- Enumerates processes with tasklist
PID:764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV1⤵PID:1864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV1⤵PID:3704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV1⤵PID:1520
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:4720
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5903 "1⤵PID:1972
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
PID:4552
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5902 "1⤵PID:3448
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
PID:4264
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:3176
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5900 "1⤵PID:3352
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV1⤵PID:856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV1⤵PID:736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV1⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV1⤵PID:2728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV1⤵PID:728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV1⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV1⤵PID:2136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV1⤵PID:544