Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
4711b828b0bb466d3694fc0f2916edae.exe
Resource
win7-20231215-en
General
-
Target
4711b828b0bb466d3694fc0f2916edae.exe
-
Size
705KB
-
MD5
4711b828b0bb466d3694fc0f2916edae
-
SHA1
a55117a0a64a4ec54418124ca8190479b92a6751
-
SHA256
ae121792a33bf3f52ac94e2d21c727c67abe9c2260170235f9c766c6d1eb376c
-
SHA512
c4bae1b76a9fd1147e9cd5086053936e0d763934fde04f0a0663ae94d01585d700f70960b61f374019db01b1aa5e4aaf2953c36a621616d271bc55c14aaba06f
-
SSDEEP
12288:wDJnJM4OpSpnO8kTZlTV8fPnsklusrrbQDhzIs:UJnJM4OqTW3x8BfWhks
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 8 IoCs
pid Process 4900 alg.exe 3944 DiagnosticsHub.StandardCollector.Service.exe 1960 fxssvc.exe 1640 elevation_service.exe 1216 elevation_service.exe 2900 maintenanceservice.exe 1736 msdtc.exe 4364 msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3073191680-435865314-2862784915-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3073191680-435865314-2862784915-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Z: alg.exe -
Drops file in System32 directory 46 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File created \??\c:\windows\system32\perceptionsimulation\gpblogbm.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File created \??\c:\windows\system32\anldckjm.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\svchost.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File created \??\c:\windows\system32\diagsvcs\iikckmgl.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\lsass.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File created \??\c:\windows\system32\anbfeokb.tmp 4711b828b0bb466d3694fc0f2916edae.exe File created \??\c:\windows\system32\cojcgoln.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe alg.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\dllhost.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\locator.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\Appvclient.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File created \??\c:\windows\system32\omlhopbp.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\msiexec.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 4711b828b0bb466d3694fc0f2916edae.exe File created \??\c:\windows\system32\jckcecan.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\alg.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File created \??\c:\windows\syswow64\mkjhbhbe.tmp 4711b828b0bb466d3694fc0f2916edae.exe File created \??\c:\windows\system32\eeejgkbc.tmp 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 4711b828b0bb466d3694fc0f2916edae.exe File created C:\Program Files\7-Zip\jgpijieg.tmp alg.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\ldegaobo.tmp alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 4711b828b0bb466d3694fc0f2916edae.exe File created \??\c:\program files (x86)\mozilla maintenance service\kbdeckmk.tmp alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 4711b828b0bb466d3694fc0f2916edae.exe File created \??\c:\program files\common files\microsoft shared\source engine\acpmqknm.tmp alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File created \??\c:\program files\google\chrome\Application\106.0.5249.119\fcjipcbg.tmp alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 4711b828b0bb466d3694fc0f2916edae.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe 4900 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4964 4711b828b0bb466d3694fc0f2916edae.exe Token: SeTakeOwnershipPrivilege 4900 alg.exe Token: SeAuditPrivilege 1960 fxssvc.exe Token: SeSecurityPrivilege 4364 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4711b828b0bb466d3694fc0f2916edae.exe"C:\Users\Admin\AppData\Local\Temp\4711b828b0bb466d3694fc0f2916edae.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4900
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3528
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1640
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1216
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2900
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1736
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678KB
MD51fc5c09a24c3a5ea35dceb044a2d7b36
SHA1ea88d238fc79eaf03082f3a03f8ca8008368d433
SHA25626f2203f43ea4edafaea724ae66c5c4bc1b075ec02e030e1a46e1c0355966933
SHA512e6c334479fada188a606579e8b83059fb9b952184a89172e17814c90fd1062a2815706cfb579dfc98c68ab9054b26bbbbf4c28662b8ca19319d08e742206483a
-
Filesize
487KB
MD5bb125279a16dd050968720a939aac037
SHA15dab0b4ba6df3a37aea74a123d0a93c603d22a71
SHA25644be793a8efa9e9c64a9d9eebed54e185ccc26a8c1a3df94e2cc3c9a2a140e9a
SHA512f7132a7d424e2b656def69a852f08c13b607a82f1f3a55bd07156995dd8935bd93562c82fb1f73d3766413fa5d78bd6802c2c8feb89851ab88e25cec5fe9d9b3
-
Filesize
1.0MB
MD53d01cfb4acd65ced09238681a2fe18f3
SHA1b60d92dc50e9710ed5b38b3b4058605a60abaa39
SHA256b11164e4a9feaf0cd615053010b5a94cb3e7aa728dad7deecd75287d8f06ae76
SHA51226c61a270e82202067f9d117f4c8571b6a7824991c311e18335a361b6f918c5b3f6c0a88472f1f45b01bcebe7103b8197207887ae79ffd2d174ccd6fcd9900eb
-
Filesize
489KB
MD5c0a3d888f28efd234cdee1f25e69ab82
SHA1ab4f3383fe90c73710ec0c7af4d60631b1232055
SHA256f8864a0a1ab1e96071f920f2e1ea3eb5ad7d3692eb532cdeb5b95ec72f4bfd95
SHA5127d307928d523599ef5f015e4e7a1ac39a87b7039cbcc7b996756b6540111da847afec5ebbdc5c208907e71ff2a0bd118813045ccf2ffe66e9faab436f69efccd
-
Filesize
540KB
MD5e2d4befd4ce7d3174358f8d5c8a4cb4d
SHA141c0e2a6e590754e4089ebd7ff9d746ad3418cbd
SHA2560241635cc0e7b1bc13b355016f748e5509ebf7b408523bc5a298b8c1b4268c06
SHA51282d3f5ff4193506d1710d000e829853ef60fe4a552e6fddfead75fdc7106aebc160cfb8185d66c33092520afe18b0efa0201f1fb8484072883fc55326bec0c77
-
Filesize
463KB
MD594fbe244583678e82f4a45e0f7054eea
SHA16510b5343b8525fad3c5f040d67428b778ccb1be
SHA2569eeed0ad4ae8232dfc70ceadb26ce7aada78934ce22e996ddc0b629b7b36e223
SHA512a817ed975efca7a12f565367d7d18d990bce94edf7d7738722685749d00b501a0999f288e942ee105e453d8eb117f3b11b7cf75ceed4fde5069f03f3eaf15397
-
Filesize
1.9MB
MD567a93faa3f1cddc36d111bdc9d38caa4
SHA1eaa8396a7563fa46b37974ab90046533bf179f47
SHA256c417cf1e634da6301d120ae17bfc77aef59e4b1644799c029ece56ed43aadec9
SHA5123fc5a3b0bc214b977442ae1dd4bfba313af00102c95abfe1faf46123967edea330e735bfad3830a12b444c5035cf82c4921b6421e23ffa6b67510ea458e166f2
-
Filesize
613KB
MD5b05093f2f0a8e4dd3a4e50381eb877bd
SHA1ecdab10d8993eafe10e5494a0a2097431ed93712
SHA25616b3b7a1882fe964451b7f843a3d21f68c3bab83ad1c35ba3fd8701a7d824549
SHA5123e632ce3a38e7946bc5be0a9454babe09763c911a1c86775c8acc5215fd183b1b94083f8c5d890d513ac60ea15d0648487875a2bb14b8c40ddf625457ec17990
-
Filesize
637KB
MD51d06022c348cba0842a4d89f222bc381
SHA116d191fa4870a5f94ae3f41cab656f51e0918207
SHA2564edf92744f7c985738757d9149ff0178b53dd34dbd3b3f8d524a0f9399d0a09b
SHA512a524017c0dd6ca580793810f4373e84953c98b800b49c90773ca3a1bcc48759c398e4ab75319a6fe90b7a84fa53dacc0e7c6862628c561a5a1e722511e1714c8
-
Filesize
2.0MB
MD573771d5499be9d1d7301025b0da41991
SHA1727117e25306e4963bbdd579898a563a4e0c5e8b
SHA2563d98360d4356abe81148a96fbde24834484281d58bb0e0428a3ca875cd47724b
SHA5121463cb7d6ba17bed2d3f1560d87aa328ccf6853f3c55663e2bac1ff3ac64965b0d47af9832b755b058d6c3f6055894864f65d9d2c357d1e96e2751cee8f0d2e4