Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 05:27
Behavioral task
behavioral1
Sample
gwr4j809gbrej089.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
gwr4j809gbrej089.exe
Resource
win10v2004-20231222-en
General
-
Target
gwr4j809gbrej089.exe
-
Size
23KB
-
MD5
476cbad4b571f2b67d584513386ebd2d
-
SHA1
17d3a11fedbf7750ddff2cdbf3e4d236f0e19282
-
SHA256
a0e7f92466f2684014a40a22f7488478ab07fc36e1df6c7dacb9c29063ff69d6
-
SHA512
d50a7565026c76204c13a0dd0d5bc9574468bf841d6f75c223dce95f7ce7f21ce512e6b7dc67ca2fd3452410bed4f57fa9be80b798d98e16af2b3a7437e99c80
-
SSDEEP
384:KoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZIt:t7O89p2rRpcnuv
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2784 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation gwr4j809gbrej089.exe -
Executes dropped EXE 1 IoCs
pid Process 4472 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe Token: 33 4472 server.exe Token: SeIncBasePriorityPrivilege 4472 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4472 1648 gwr4j809gbrej089.exe 100 PID 1648 wrote to memory of 4472 1648 gwr4j809gbrej089.exe 100 PID 1648 wrote to memory of 4472 1648 gwr4j809gbrej089.exe 100 PID 4472 wrote to memory of 2784 4472 server.exe 104 PID 4472 wrote to memory of 2784 4472 server.exe 104 PID 4472 wrote to memory of 2784 4472 server.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\gwr4j809gbrej089.exe"C:\Users\Admin\AppData\Local\Temp\gwr4j809gbrej089.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2784
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5476cbad4b571f2b67d584513386ebd2d
SHA117d3a11fedbf7750ddff2cdbf3e4d236f0e19282
SHA256a0e7f92466f2684014a40a22f7488478ab07fc36e1df6c7dacb9c29063ff69d6
SHA512d50a7565026c76204c13a0dd0d5bc9574468bf841d6f75c223dce95f7ce7f21ce512e6b7dc67ca2fd3452410bed4f57fa9be80b798d98e16af2b3a7437e99c80