Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 02:47
Behavioral task
behavioral1
Sample
3bb0f7d1717c35600768f7d561a314a8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3bb0f7d1717c35600768f7d561a314a8.exe
Resource
win10v2004-20231215-en
General
-
Target
3bb0f7d1717c35600768f7d561a314a8.exe
-
Size
2.3MB
-
MD5
3bb0f7d1717c35600768f7d561a314a8
-
SHA1
49c73c3f6cda798fef0bde61c3a8480d0a7c8a79
-
SHA256
bd284862b9c40907cb8e8fcc25122dbb95066ccfce453d9244a44e102a45ff26
-
SHA512
05a266dad80b4717429c995f96f0ed76c319e99c62a732d628a3c0708fd825b696ac4564716cca17c27bb7f12ea4a59302fe939b1557a8d693c6f2e7c63ce06a
-
SSDEEP
24576:J7FosV8/Q8z9Gh8jyQ3s1smCkv6oqpumCkv6Pu4/QJQHCkv6oqpumCkv6PurCkx:8/p9GijymsepA66pA6m4/erA66pA6m+g
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mvdm.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\mvdm.sys" xzisy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation xzisy.exe -
Executes dropped EXE 1 IoCs
pid Process 952 xzisy.exe -
resource yara_rule behavioral2/memory/2560-0-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/2560-1-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/2560-4-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/files/0x000200000001e7df-6.dat upx behavioral2/memory/952-8-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/2560-10-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/2560-13-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/952-14-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/952-18-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/952-22-0x0000000000400000-0x00000000004FF000-memory.dmp upx behavioral2/memory/952-33-0x0000000000400000-0x00000000004FF000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 952 xzisy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 952 xzisy.exe Token: SeLoadDriverPrivilege 952 xzisy.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 952 xzisy.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 952 xzisy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 952 xzisy.exe 952 xzisy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2560 wrote to memory of 952 2560 3bb0f7d1717c35600768f7d561a314a8.exe 91 PID 2560 wrote to memory of 952 2560 3bb0f7d1717c35600768f7d561a314a8.exe 91 PID 2560 wrote to memory of 952 2560 3bb0f7d1717c35600768f7d561a314a8.exe 91 PID 952 wrote to memory of 2908 952 xzisy.exe 96 PID 952 wrote to memory of 2908 952 xzisy.exe 96 PID 952 wrote to memory of 2908 952 xzisy.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb0f7d1717c35600768f7d561a314a8.exe"C:\Users\Admin\AppData\Local\Temp\3bb0f7d1717c35600768f7d561a314a8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\xzisy.exeC:\Users\Admin\AppData\Local\Temp\xzisy.exe -run2⤵
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xzisy.bat" "3⤵PID:2908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137B
MD576e53d083346c60bb954e46f16f00f01
SHA1d8c533b1aafc1658d6adb42e29ee8529141bac63
SHA2563a0f372317d8f6bef70702a0e8f2361d5c05c208b5e320cfdbfbb032e7921b87
SHA5125534f14acbb1dc2e8e3c7329e95a2a89179342e6c84badbcfaf927d524f60f332934ecbc135b3a7c2c9cb30cc6234e37b2cd605f591cc845424c0dcb07e19c77
-
Filesize
2.9MB
MD52deb016bc0f72497decbacddd6b2082d
SHA1f25f685d741d40a64ee5ea0c37425036de7dea69
SHA256fe5509b9b4df6b3b2bbeba6cde9847eb371f40403ed3184f3dd038b647e1eb60
SHA512e054687ab0d88f7fd690818985399ff97b199862420659aa1aed5ba546f03b1f7ef70ddbf4cdb4af655dc674f56dc756cc09c3d22c92d6259f39c6466fa77a7c