Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
U prilogu lista novih narudzbi.exe
Resource
win7-20231129-en
General
-
Target
U prilogu lista novih narudzbi.exe
-
Size
776KB
-
MD5
75c1a9a40b3594e87dfd526d5d02786e
-
SHA1
9da904b9ade761c097d214a2fa823edc219522da
-
SHA256
be6c4cf0c6c048a2a1c98374746b282bae9c7eb191ec193a747b47910ade5aa1
-
SHA512
808bda7370c3c5c00faca7a088b059baa59545f17bd8167964565379dbf77d0093824cc4496c7154dc65b83dea92e118027e737ac640a6cd697928f6f81ed7a9
-
SSDEEP
24576:20vDyK4nrFuXSrTb/bqQlt/GR4lHKg6Qsi08StK2PwxNcH:20uKYFuXkcssi08IK2ozcH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation U prilogu lista novih narudzbi.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.lnk U prilogu lista novih narudzbi.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4044 skype.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4044 set thread context of 1548 4044 skype.exe 101 PID 1548 set thread context of 3488 1548 AddInProcess32.exe 28 PID 1936 set thread context of 3488 1936 control.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1408 PING.EXE 4052 PING.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4832 U prilogu lista novih narudzbi.exe 4832 U prilogu lista novih narudzbi.exe 4832 U prilogu lista novih narudzbi.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 952 skype.exe 4044 skype.exe 4044 skype.exe 4044 skype.exe 4044 skype.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1936 control.exe 1936 control.exe 1936 control.exe 1936 control.exe 1936 control.exe 1936 control.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1548 AddInProcess32.exe 1936 control.exe 1936 control.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4832 U prilogu lista novih narudzbi.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4832 U prilogu lista novih narudzbi.exe Token: SeDebugPrivilege 952 skype.exe Token: SeDebugPrivilege 4044 skype.exe Token: SeDebugPrivilege 1548 AddInProcess32.exe Token: SeDebugPrivilege 1936 control.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4832 wrote to memory of 952 4832 U prilogu lista novih narudzbi.exe 94 PID 4832 wrote to memory of 952 4832 U prilogu lista novih narudzbi.exe 94 PID 4832 wrote to memory of 952 4832 U prilogu lista novih narudzbi.exe 94 PID 952 wrote to memory of 3688 952 skype.exe 96 PID 952 wrote to memory of 3688 952 skype.exe 96 PID 952 wrote to memory of 3688 952 skype.exe 96 PID 3688 wrote to memory of 1408 3688 cmd.exe 98 PID 3688 wrote to memory of 1408 3688 cmd.exe 98 PID 3688 wrote to memory of 1408 3688 cmd.exe 98 PID 3688 wrote to memory of 4052 3688 cmd.exe 99 PID 3688 wrote to memory of 4052 3688 cmd.exe 99 PID 3688 wrote to memory of 4052 3688 cmd.exe 99 PID 3688 wrote to memory of 4044 3688 cmd.exe 100 PID 3688 wrote to memory of 4044 3688 cmd.exe 100 PID 3688 wrote to memory of 4044 3688 cmd.exe 100 PID 4044 wrote to memory of 1548 4044 skype.exe 101 PID 4044 wrote to memory of 1548 4044 skype.exe 101 PID 4044 wrote to memory of 1548 4044 skype.exe 101 PID 4044 wrote to memory of 1548 4044 skype.exe 101 PID 4044 wrote to memory of 1548 4044 skype.exe 101 PID 4044 wrote to memory of 1548 4044 skype.exe 101 PID 3488 wrote to memory of 1936 3488 Explorer.EXE 102 PID 3488 wrote to memory of 1936 3488 Explorer.EXE 102 PID 3488 wrote to memory of 1936 3488 Explorer.EXE 102
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\U prilogu lista novih narudzbi.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu lista novih narudzbi.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\skype.exe"C:\Users\Admin\AppData\Local\Temp\skype.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 22 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 22 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"4⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 225⤵
- Runs ping.exe
PID:1408
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 225⤵
- Runs ping.exe
PID:4052
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cc82803ce7afbf6041074676af07924f
SHA1231a608fce48b82868d08a39dad5ac13c955bf3d
SHA2565467350d290b94cacfabfc9cd79c2f26f64c94eb8d719113597098dc6016154d
SHA5124f13d21b1dd8be23b51e5410a57db81f37d3326c944937b6546ca02de018b8b1b7921dd81cb4584fe42e734cf0ab073f8b9079b12c5a9e6193116c677ceb624f
-
Filesize
776KB
MD575c1a9a40b3594e87dfd526d5d02786e
SHA19da904b9ade761c097d214a2fa823edc219522da
SHA256be6c4cf0c6c048a2a1c98374746b282bae9c7eb191ec193a747b47910ade5aa1
SHA512808bda7370c3c5c00faca7a088b059baa59545f17bd8167964565379dbf77d0093824cc4496c7154dc65b83dea92e118027e737ac640a6cd697928f6f81ed7a9