Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 07:57
Behavioral task
behavioral1
Sample
64e03ce9d4db10ad22af9fdecf8e750b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
64e03ce9d4db10ad22af9fdecf8e750b.exe
Resource
win10v2004-20231215-en
General
-
Target
64e03ce9d4db10ad22af9fdecf8e750b.exe
-
Size
230KB
-
MD5
64e03ce9d4db10ad22af9fdecf8e750b
-
SHA1
b9fe3564b39f85feac38877320562d345fa31300
-
SHA256
e9cafe0e597dea98a327b31ceb7bcf8a6a90c90d729b6709c0b8819efb53ceec
-
SHA512
815d7f97eb088e3dee422b1fdf7ad9fae6796ad1d7648c46942610d48074042d7d6ea2073ca6d65df86d91b6b8e16c5d03d90a042272c5ea74783f3e62c69ec1
-
SSDEEP
1536:e/gDBnYi9bV1BZV0CbD/csMunng0P5JkcrOGEoUjMJC:e4ZYi9bV1BZV0C3csjnbJkoVBUg8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 64e03ce9d4db10ad22af9fdecf8e750b.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 64e03ce9d4db10ad22af9fdecf8e750b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 3636 Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 64e03ce9d4db10ad22af9fdecf8e750b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe Token: 33 3636 Payload.exe Token: SeIncBasePriorityPrivilege 3636 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4448 wrote to memory of 3636 4448 64e03ce9d4db10ad22af9fdecf8e750b.exe 96 PID 4448 wrote to memory of 3636 4448 64e03ce9d4db10ad22af9fdecf8e750b.exe 96 PID 4448 wrote to memory of 3636 4448 64e03ce9d4db10ad22af9fdecf8e750b.exe 96 PID 4448 wrote to memory of 4776 4448 64e03ce9d4db10ad22af9fdecf8e750b.exe 97 PID 4448 wrote to memory of 4776 4448 64e03ce9d4db10ad22af9fdecf8e750b.exe 97 PID 4448 wrote to memory of 4776 4448 64e03ce9d4db10ad22af9fdecf8e750b.exe 97 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4776 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e03ce9d4db10ad22af9fdecf8e750b.exe"C:\Users\Admin\AppData\Local\Temp\64e03ce9d4db10ad22af9fdecf8e750b.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
PID:4776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD564e03ce9d4db10ad22af9fdecf8e750b
SHA1b9fe3564b39f85feac38877320562d345fa31300
SHA256e9cafe0e597dea98a327b31ceb7bcf8a6a90c90d729b6709c0b8819efb53ceec
SHA512815d7f97eb088e3dee422b1fdf7ad9fae6796ad1d7648c46942610d48074042d7d6ea2073ca6d65df86d91b6b8e16c5d03d90a042272c5ea74783f3e62c69ec1
-
Filesize
1KB
MD5a494f70527b15499c4b74551eeacfd84
SHA1406ce4f0ada56eb44dd6163d6325704b71eb842b
SHA256c24a6e237aecee6fd1d2a5966d29cd010af38551e4688e55e3d6e0afc3bdec7e
SHA5122375a7d75df3b8ed815d13c747e14917fadbb4e5e6785edac3ccb4ecfc7d5c524dd59102e7463f3a2be63d4d2d3f5f8be4c97a2e3e313c46c91c6296590eec79
-
Filesize
1KB
MD5b07ac570a72fdb99e86ff788b7215a88
SHA1619c28f29f5a978a434417b84056a63b6ae74c83
SHA256da85dee9086e4aa5419e20b3504efc21b37b8b722fca02c6c012b201433a46bf
SHA512b13c2be2d3301b94f9f01dec189b241d572c5bd6c959871558619f0e7c98f2ec8324bd46da3604fc933f7cfa44dab0b4613f6ac2b448c934cb621f308909a6f5