Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 02:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c1c93c5b062822511d5c77bd148a34c.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c1c93c5b062822511d5c77bd148a34c.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
0c1c93c5b062822511d5c77bd148a34c.exe
-
Size
108KB
-
MD5
0c1c93c5b062822511d5c77bd148a34c
-
SHA1
96ab3cb4a9fc7d3fbd873efe9657c5cd5194d1a9
-
SHA256
50a7ef4ea08cffa20d73c86dc3294f08057f9e885c7bc0c8e8274dc48ef8ff5f
-
SHA512
8d69ecacbd4678d98f02b211001a1fab2d6a8fd2c2494883d911840824b0b661bfd02921edc614d5cae18016106dc9e24f966e387112c4d82087a59eb68ffccc
-
SSDEEP
1536:UOqzj0We+nBx3Of6ZcnWWG1KdIvf1ijij+p4j9S2fbwg7h4HVQJZp:IXeaBlOf2WG1KdrQN+Kp
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0c1c93c5b062822511d5c77bd148a34c.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cpvim.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 0c1c93c5b062822511d5c77bd148a34c.exe -
Executes dropped EXE 1 IoCs
pid Process 4560 cpvim.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /j" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /o" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /g" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /v" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /p" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /h" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /n" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /m" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /d" 0c1c93c5b062822511d5c77bd148a34c.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /l" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /i" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /a" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /q" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /t" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /k" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /s" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /x" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /f" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /d" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /e" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /r" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /w" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /u" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /b" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /c" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /y" cpvim.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpvim = "C:\\Users\\Admin\\cpvim.exe /z" cpvim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4680 4060 WerFault.exe 14 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 0c1c93c5b062822511d5c77bd148a34c.exe 4060 0c1c93c5b062822511d5c77bd148a34c.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe 4560 cpvim.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4060 0c1c93c5b062822511d5c77bd148a34c.exe 4560 cpvim.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4060 wrote to memory of 4560 4060 0c1c93c5b062822511d5c77bd148a34c.exe 92 PID 4060 wrote to memory of 4560 4060 0c1c93c5b062822511d5c77bd148a34c.exe 92 PID 4060 wrote to memory of 4560 4060 0c1c93c5b062822511d5c77bd148a34c.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1c93c5b062822511d5c77bd148a34c.exe"C:\Users\Admin\AppData\Local\Temp\0c1c93c5b062822511d5c77bd148a34c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\cpvim.exe"C:\Users\Admin\cpvim.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 29682⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4060 -ip 40601⤵PID:4412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD57c7e885ccd12d732871e16b1571d30c4
SHA10acce33a6ace3b80eb6b108f969be5dd3530d171
SHA256aa4cb7eff2d806923a50ec1bd55c974a1df86c0a711b53cdf3c6e4d1372e8033
SHA512bef605b684b086699260e1e8abb3dbc1dba7fb7121e4ce9dcdcca697f2d43b4b102d523c085d060ba2c57821abcb5c4d529571a24d5d7a1ce448b8896c1f3e3a