Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 05:45
Behavioral task
behavioral1
Sample
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
Resource
win10v2004-20231222-en
General
-
Target
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
-
Size
31KB
-
MD5
a5ad2d1796744144d739569bb466b307
-
SHA1
42de0164c8cbd9b6c64100de720d2e0c49ebcb77
-
SHA256
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
-
SHA512
45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9
-
SSDEEP
384:c8LBBi/W/7mgEp87wYK2GePqZhbM2AQk93vmhm7UMKmIEecKdbXTzm9bVhcaO6fd:5W/sqoHT2A/vMHTi9bD/Qz1n
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 60 Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe Token: 33 60 Payload.exe Token: SeIncBasePriorityPrivilege 60 Payload.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1960 wrote to memory of 60 1960 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 96 PID 1960 wrote to memory of 60 1960 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 96 PID 1960 wrote to memory of 60 1960 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 96 PID 1960 wrote to memory of 1740 1960 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 97 PID 1960 wrote to memory of 1740 1960 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 97 PID 1960 wrote to memory of 1740 1960 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 97 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5a5ad2d1796744144d739569bb466b307
SHA142de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA51245fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9
-
Filesize
1KB
MD51cf416d26fcaa9ac44cde97b4071c2c1
SHA12f49d770b79359232d9b8ad9609bcab9bc8489a1
SHA256298bf368286c7dfa7b8cd2774d93811fea422c38b37b79c4049fb38fbfa49da0
SHA512d4a92f2051d7bb5ec5dfd5cce038202cab2a75fad83238c914ce0e1d4db66b36bd2b8302451035e6e9cbf8160965e180f91af0ffea9772c28e0a4aa9a4171bcf
-
Filesize
1KB
MD5b565b6f7a706fa0e6f1a618d53af840a
SHA1a2dcefc8f9bf6ffc89c3e9dba9ba582a4dc0c47f
SHA256e2be89378f1677a386e8641949f4af149db4947d04ff320e256a5c0b39d683cb
SHA51211755649cf70808de39fd6f3a20559feebad8e7344bbd5c10de0d285ded97d8570c9e01b2834eb80c6e3179abc6bec2d9bbd4dc4e24dd94fb981fd6c9caf28fe