Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
4305f76c08cdeaa949c7f4efc418f9a2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4305f76c08cdeaa949c7f4efc418f9a2.exe
Resource
win10v2004-20231215-en
General
-
Target
4305f76c08cdeaa949c7f4efc418f9a2.exe
-
Size
685KB
-
MD5
4305f76c08cdeaa949c7f4efc418f9a2
-
SHA1
ad2879785e3bd63c4d46609a5404af7971c2d0b7
-
SHA256
7b262ab0a0ac865ee929b33f0a77dd7af315c566c58fb3ed1e60b740a99bc960
-
SHA512
b79676b501ce80c4dda0e4e8361878a3299dfceda1e8ea0a6f675da4d6650209431fe6f27ae0ea043a4afe6bf703ba69bd440daa3e356725e56ffc7935322688
-
SSDEEP
12288:lrCx8y3OTknH5S+ycSWUAangtrJePiCmqbF3Z4mxxgCaQzwF:Xy3OTgH5FX8zZbQmXl7wF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3152 Server.exe 3616 Hacker.com.cn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4305f76c08cdeaa949c7f4efc418f9a2.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe Server.exe File opened for modification C:\Windows\Hacker.com.cn.exe Server.exe File created C:\Windows\uninstal.bat Server.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3152 Server.exe Token: SeDebugPrivilege 3616 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3616 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 608 wrote to memory of 3152 608 4305f76c08cdeaa949c7f4efc418f9a2.exe 92 PID 608 wrote to memory of 3152 608 4305f76c08cdeaa949c7f4efc418f9a2.exe 92 PID 608 wrote to memory of 3152 608 4305f76c08cdeaa949c7f4efc418f9a2.exe 92 PID 3616 wrote to memory of 3972 3616 Hacker.com.cn.exe 97 PID 3616 wrote to memory of 3972 3616 Hacker.com.cn.exe 97 PID 3152 wrote to memory of 3764 3152 Server.exe 98 PID 3152 wrote to memory of 3764 3152 Server.exe 98 PID 3152 wrote to memory of 3764 3152 Server.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe"C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:3764
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743KB
MD5568521c849079c94e09c7b82be334831
SHA12c72a5898e14c6020cfe501cb159bf71666a67f2
SHA256a5ac468e5e9b8ba9624f6b34455f359d09bc82b6d9056f1ed4090625cdc4325e
SHA512cfe971c59d46cd50540f913be5b7290a20362b7a218a11e06e23835e4a9b5a997b25da3a64ae72753f9c5dd30fbae8d982bfbf2fd321070db626ea357cf534e9
-
Filesize
160B
MD569e01c599950b5caf5cd7ec972f89682
SHA12d34ceced77c1f86417c00f706e06cc902b11e3b
SHA256b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e
SHA51248acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9