Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 06:09
Behavioral task
behavioral1
Sample
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe
Resource
win10v2004-20231222-en
General
-
Target
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe
-
Size
93KB
-
MD5
36b911da6d9248ad4b683901b0460612
-
SHA1
02b48d75fea67a4cbcea96857f82d220aff9782a
-
SHA256
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319
-
SHA512
7c284d23072ee1064ba88964c6ba974b7f307df8d4a7d569b89d1ae271c0c2b054afe468abceb53f987482e85fd7ee73d8443ad8343c3b71ccdd2025ad9c9f92
-
SSDEEP
1536:vCwC+xhUa9urgOBPRNvM4jEwzGi1dDLDogS:vCmUa9urgObdGi1dbR
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4140 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a22a0a6dceeda228b546e36a480dbdfbWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a22a0a6dceeda228b546e36a480dbdfbWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 3504 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3504 server.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: SeManageVolumePrivilege 784 svchost.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe Token: 33 3504 server.exe Token: SeIncBasePriorityPrivilege 3504 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3504 1660 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 93 PID 1660 wrote to memory of 3504 1660 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 93 PID 1660 wrote to memory of 3504 1660 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 93 PID 3504 wrote to memory of 4140 3504 server.exe 97 PID 3504 wrote to memory of 4140 3504 server.exe 97 PID 3504 wrote to memory of 4140 3504 server.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe"C:\Users\Admin\AppData\Local\Temp\7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4140
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD536b911da6d9248ad4b683901b0460612
SHA102b48d75fea67a4cbcea96857f82d220aff9782a
SHA2567c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319
SHA5127c284d23072ee1064ba88964c6ba974b7f307df8d4a7d569b89d1ae271c0c2b054afe468abceb53f987482e85fd7ee73d8443ad8343c3b71ccdd2025ad9c9f92
-
Filesize
5B
MD5410c3c7c3e0376e2f9b228980b58d042
SHA13aec3fa12cd88edca90fdc72a0d25cd071dc2052
SHA2565c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391
SHA5122a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57