Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 20:55
Behavioral task
behavioral1
Sample
596474f912744f495ea4f95d4dc0c69e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
596474f912744f495ea4f95d4dc0c69e.exe
Resource
win10v2004-20231222-en
General
-
Target
596474f912744f495ea4f95d4dc0c69e.exe
-
Size
226KB
-
MD5
596474f912744f495ea4f95d4dc0c69e
-
SHA1
9ff10912ad2486d054286b6378d1c019be44678f
-
SHA256
ae2db060b3c6276691230399307ece62d8b59d89f0d5c5d7ef2e03d60fdaeb00
-
SHA512
b52dbe2777eb242a9755a1157c75f66782d5055376a60227083410970efef624f533677cec806a6d9b1848815fd67fbbf5615c7e213eff208e1ebcbf8772c351
-
SSDEEP
3072:sA8AuJpiZ0hE0LFgEbGfVRTcnQ6pZVsO5XNnlQ1QHTjZfclIlYc3kH/TPPTOxny8:A9pM0BgVRB0ZVsALXEl32+LPPTOxn3j
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2404 Recycle.Bin.exe 2852 9Yo4D94.exe -
Loads dropped DLL 4 IoCs
pid Process 3016 596474f912744f495ea4f95d4dc0c69e.exe 3016 596474f912744f495ea4f95d4dc0c69e.exe 2404 Recycle.Bin.exe 2404 Recycle.Bin.exe -
resource yara_rule behavioral1/memory/3016-0-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/3016-2-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/files/0x002e000000016cd0-12.dat upx behavioral1/memory/3016-18-0x0000000002030000-0x00000000020E3000-memory.dmp upx behavioral1/memory/2404-20-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2404-22-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/2404-33-0x0000000000400000-0x00000000004B3000-memory.dmp upx behavioral1/memory/3016-48-0x0000000000400000-0x00000000004B3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\4E3E0230AEBB4E96 = "C:\\Recycle.Bin\\Recycle.Bin.exe" 9Yo4D94.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PhishingFilter 9Yo4D94.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" 9Yo4D94.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" 9Yo4D94.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery 9Yo4D94.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" 9Yo4D94.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 596474f912744f495ea4f95d4dc0c69e.exe 3016 596474f912744f495ea4f95d4dc0c69e.exe 2404 Recycle.Bin.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe 2852 9Yo4D94.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3016 596474f912744f495ea4f95d4dc0c69e.exe Token: SeDebugPrivilege 3016 596474f912744f495ea4f95d4dc0c69e.exe Token: SeDebugPrivilege 3016 596474f912744f495ea4f95d4dc0c69e.exe Token: SeDebugPrivilege 3016 596474f912744f495ea4f95d4dc0c69e.exe Token: SeDebugPrivilege 2404 Recycle.Bin.exe Token: SeDebugPrivilege 2404 Recycle.Bin.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe Token: SeDebugPrivilege 2852 9Yo4D94.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2404 3016 596474f912744f495ea4f95d4dc0c69e.exe 28 PID 3016 wrote to memory of 2404 3016 596474f912744f495ea4f95d4dc0c69e.exe 28 PID 3016 wrote to memory of 2404 3016 596474f912744f495ea4f95d4dc0c69e.exe 28 PID 3016 wrote to memory of 2404 3016 596474f912744f495ea4f95d4dc0c69e.exe 28 PID 2404 wrote to memory of 2852 2404 Recycle.Bin.exe 29 PID 2404 wrote to memory of 2852 2404 Recycle.Bin.exe 29 PID 2404 wrote to memory of 2852 2404 Recycle.Bin.exe 29 PID 2404 wrote to memory of 2852 2404 Recycle.Bin.exe 29 PID 2404 wrote to memory of 2852 2404 Recycle.Bin.exe 29 PID 2404 wrote to memory of 2852 2404 Recycle.Bin.exe 29 PID 2852 wrote to memory of 3016 2852 9Yo4D94.exe 27 PID 2852 wrote to memory of 3016 2852 9Yo4D94.exe 27 PID 2852 wrote to memory of 3016 2852 9Yo4D94.exe 27 PID 2852 wrote to memory of 3016 2852 9Yo4D94.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\596474f912744f495ea4f95d4dc0c69e.exe"C:\Users\Admin\AppData\Local\Temp\596474f912744f495ea4f95d4dc0c69e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Recycle.Bin\Recycle.Bin.exe"C:\Recycle.Bin\Recycle.Bin.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\9Yo4D94.exe"C:\Users\Admin\AppData\Local\Temp\9Yo4D94.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a56a6141dffaf3c9fe845d941c3156b8
SHA14d7b611855f10d3b573bfd1e219268c4caca4763
SHA256f11e24df3a2fde19f50134e7139f060dc26ac961db52ecc9ded33a4af6f87055
SHA512ae7a41a478bab81ef4512e7edc064a454597c0e750d98c3ff7d9f59e27514fbfe86e1b28646fdfe70d8eaed747c566afc914ccb80b2526bfb5cdabefda6c6f8c
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be
-
Filesize
226KB
MD5596474f912744f495ea4f95d4dc0c69e
SHA19ff10912ad2486d054286b6378d1c019be44678f
SHA256ae2db060b3c6276691230399307ece62d8b59d89f0d5c5d7ef2e03d60fdaeb00
SHA512b52dbe2777eb242a9755a1157c75f66782d5055376a60227083410970efef624f533677cec806a6d9b1848815fd67fbbf5615c7e213eff208e1ebcbf8772c351