Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
31s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
1.exe
-
Size
271KB
-
MD5
e3a6f83b5ef09c3911f9ca672e062d39
-
SHA1
027ca2c3693bcd14738d114efca5340fce93bf6e
-
SHA256
961304fdabe28cded7360df3e0415b727d7afd0bbe2d9e2ffc279e3e64da3da3
-
SHA512
74a9c8edd0599f88d4a0406f51c7c9775e74b7307e3c6fe1a8e3789794790425583d47d2869f5150966403a3a956db0a82b7d03d8488a75d7e9a0769fde17432
-
SSDEEP
6144:Me+PFF02Uc1jijsLE04OyI8Nwa7h1QBzqNwoD3AI:yXxU8nI0VyPNwg1gQ3L
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
pid Process 4192 bcdedit.exe 2040 bcdedit.exe 1952 bcdedit.exe 4808 bcdedit.exe 4416 bcdedit.exe 4832 bcdedit.exe 4056 bcdedit.exe 3828 bcdedit.exe 3092 bcdedit.exe 2084 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\e576810.sys syshost.exe -
Executes dropped EXE 1 IoCs
pid Process 1520 syshost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\{B5CEDC93-E77E-17EB-F0FC-94FCCF00A493}\syshost.exe 1.exe File opened for modification C:\Windows\Installer\{B5CEDC93-E77E-17EB-F0FC-94FCCF00A493}\syshost.exe 1.exe File opened for modification C:\Windows\Installer\{B5CEDC93-E77E-17EB-F0FC-94FCCF00A493}\syshost.exe.tmp syshost.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "63" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 668 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4592 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1520 syshost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1416 LogonUI.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4592 wrote to memory of 2252 4592 1.exe 105 PID 4592 wrote to memory of 2252 4592 1.exe 105 PID 4592 wrote to memory of 2252 4592 1.exe 105 PID 1520 wrote to memory of 2084 1520 syshost.exe 104 PID 1520 wrote to memory of 2084 1520 syshost.exe 104 PID 1520 wrote to memory of 3092 1520 syshost.exe 103 PID 1520 wrote to memory of 3092 1520 syshost.exe 103 PID 1520 wrote to memory of 3828 1520 syshost.exe 102 PID 1520 wrote to memory of 3828 1520 syshost.exe 102 PID 1520 wrote to memory of 4056 1520 syshost.exe 101 PID 1520 wrote to memory of 4056 1520 syshost.exe 101 PID 1520 wrote to memory of 4832 1520 syshost.exe 97 PID 1520 wrote to memory of 4832 1520 syshost.exe 97 PID 1520 wrote to memory of 4416 1520 syshost.exe 96 PID 1520 wrote to memory of 4416 1520 syshost.exe 96 PID 1520 wrote to memory of 4808 1520 syshost.exe 94 PID 1520 wrote to memory of 4808 1520 syshost.exe 94 PID 1520 wrote to memory of 1952 1520 syshost.exe 93 PID 1520 wrote to memory of 1952 1520 syshost.exe 93 PID 1520 wrote to memory of 2040 1520 syshost.exe 92 PID 1520 wrote to memory of 2040 1520 syshost.exe 92 PID 1520 wrote to memory of 4192 1520 syshost.exe 90 PID 1520 wrote to memory of 4192 1520 syshost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\30625a55.tmp"2⤵PID:2252
-
-
C:\Windows\Installer\{B5CEDC93-E77E-17EB-F0FC-94FCCF00A493}\syshost.exe"C:\Windows\Installer\{B5CEDC93-E77E-17EB-F0FC-94FCCF00A493}\syshost.exe" /service1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:4192
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:2040
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:1952
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:4808
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:4416
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:4832
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:4056
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:3828
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:3092
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
PID:2084
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3998055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD503f6308513e6fb08616a4aa334e46052
SHA1b35728470946eddc9c2e5cdc889dec68c31230d8
SHA256db5b2056bd31f23627bc6aec852d9920e75089222fe9898962f90acb9e7d4436
SHA5123e27dae72bb8dc8c287c2b50bcaaefd174eda42de3e386e16f32319f2c32102bd90428cb43abd5fa187f293df023fdbdca54b474f61acd92b9c5722bf6c57901
-
Filesize
168KB
MD5ea996ff21eb3a2cb3547096f078bd27e
SHA13b5b79a5ed76deb55fb26cb023e731cea768adfb
SHA256226b92adfb061a1646f757c27a5ee9926af0479df2d0ded0a1fd11b3294dc7fb
SHA512b84242070cd2a566c26abb8e15950c684120b6be777f8c40f7c18b2962ff851b8907e1496595573fbd42094e92ffeeecb6fca850d0b1011a1e3765994ae7da17