Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
smeet_hack.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
smeet_hack.exe
Resource
win10v2004-20231215-en
General
-
Target
smeet_hack.exe
-
Size
132KB
-
MD5
b9fe8ba9fa03b661875eafadef6deeba
-
SHA1
26740c46154ebde429393343b1340718948d5d2a
-
SHA256
793de2577ef5401c24923a67bd9dd270fba01a29a57b935793534a7b9b6e753b
-
SHA512
42af1306dbfab18a54457a0caff59fff512f3a6be145fd45b92da7199307cb8781f066d7281be43594f2aaf288b8b02ffd6dd5bd0a0ce8f01d5eb46828fbd8ac
-
SSDEEP
3072:+k/HpFI90No9z22drwEVIDEtc8aRFxhYi:THpFI9c2dswtcv7b
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" REG.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smeet_hack.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smeet_hack.exe" smeet_hack.exe -
Modifies registry key 1 TTPs 5 IoCs
pid Process 4212 REG.exe 3020 REG.exe 3804 REG.exe 2508 REG.exe 2692 REG.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe 1164 smeet_hack.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1164 smeet_hack.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1164 smeet_hack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1164 smeet_hack.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1164 wrote to memory of 2508 1164 smeet_hack.exe 97 PID 1164 wrote to memory of 2508 1164 smeet_hack.exe 97 PID 1164 wrote to memory of 2692 1164 smeet_hack.exe 99 PID 1164 wrote to memory of 2692 1164 smeet_hack.exe 99 PID 1164 wrote to memory of 4212 1164 smeet_hack.exe 101 PID 1164 wrote to memory of 4212 1164 smeet_hack.exe 101 PID 1164 wrote to memory of 3020 1164 smeet_hack.exe 102 PID 1164 wrote to memory of 3020 1164 smeet_hack.exe 102 PID 1164 wrote to memory of 3804 1164 smeet_hack.exe 104 PID 1164 wrote to memory of 3804 1164 smeet_hack.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\smeet_hack.exe"C:\Users\Admin\AppData\Local\Temp\smeet_hack.exe"1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:2508
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:2692
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:4212
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:3020
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:3804
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1