Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2024, 18:10
Behavioral task
behavioral1
Sample
start.exe
Resource
win7-20231129-en
General
-
Target
start.exe
-
Size
93KB
-
MD5
937286297fbc003e6a69fdc0f02ce8b0
-
SHA1
2ebd595bbb357264649f17f8b066941f05befefb
-
SHA256
35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
-
SHA512
9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4
-
SSDEEP
1536:t8NBNvGfr2p4dTc/hDjEwzGi1dDmD4gS:t8Yfr2p4dI/Gi1dwh
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3888 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation start.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 4108 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe 4108 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4108 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe Token: 33 4108 server.exe Token: SeIncBasePriorityPrivilege 4108 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 864 wrote to memory of 4108 864 start.exe 88 PID 864 wrote to memory of 4108 864 start.exe 88 PID 864 wrote to memory of 4108 864 start.exe 88 PID 4108 wrote to memory of 3888 4108 server.exe 92 PID 4108 wrote to memory of 3888 4108 server.exe 92 PID 4108 wrote to memory of 3888 4108 server.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5937286297fbc003e6a69fdc0f02ce8b0
SHA12ebd595bbb357264649f17f8b066941f05befefb
SHA25635b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA5129c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4
-
Filesize
5B
MD569cf10399d0d1350c3698099796624cb
SHA1d0b58b76ff065f51172971853a7da414286d9ea7
SHA256a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48
SHA5125e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7