Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 14:52
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20231215-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
90ac8a759ee08383aae9e92c55550701
-
SHA1
acb356c4b297f8072e744955a35b52ffb1f403d2
-
SHA256
d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603
-
SHA512
19363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd
-
SSDEEP
1536:h+IYW6qbkW8aVpO1ARkoojEwzGi1dDUDxgS:h+88aVpO2SCi1dqu
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4368 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c19e8f3730b35d0f4a54a9c8fb6c824Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c19e8f3730b35d0f4a54a9c8fb6c824Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 4428 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\server.exe Server.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe 4428 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4428 server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe Token: 33 4428 server.exe Token: SeIncBasePriorityPrivilege 4428 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2640 wrote to memory of 4428 2640 Server.exe 88 PID 2640 wrote to memory of 4428 2640 Server.exe 88 PID 2640 wrote to memory of 4428 2640 Server.exe 88 PID 4428 wrote to memory of 4368 4428 server.exe 89 PID 4428 wrote to memory of 4368 4428 server.exe 89 PID 4428 wrote to memory of 4368 4428 server.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5410c3c7c3e0376e2f9b228980b58d042
SHA13aec3fa12cd88edca90fdc72a0d25cd071dc2052
SHA2565c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391
SHA5122a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57
-
Filesize
93KB
MD590ac8a759ee08383aae9e92c55550701
SHA1acb356c4b297f8072e744955a35b52ffb1f403d2
SHA256d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603
SHA51219363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd