Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 06:43
Static task
static1
Behavioral task
behavioral1
Sample
8ba993d8a5d0e8d2241b6792ef52604c.exe
Resource
win7-20231215-en
General
-
Target
8ba993d8a5d0e8d2241b6792ef52604c.exe
-
Size
705KB
-
MD5
8ba993d8a5d0e8d2241b6792ef52604c
-
SHA1
001795b77312764568a5546d0a211ecc069153f4
-
SHA256
6a1266a18d3ef01bdca38871caa7164354f35b7aae7f6301303276f20c9f156e
-
SHA512
763d827c1cc2b12e9e2b83ad79a8142b3c47c052739a68a3087ab3c6e988610e3a497b843452f3e2c4e2830734e93280befb3d7726912d974b69606bc2cb9cb2
-
SSDEEP
12288:cDJnJM4OpSpnO8kT5lM1npEA4qI9xhio521AzWRkIaCMrBgn0AV:gJnJM4OqTWXUpLqz8Mri0A
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 6 IoCs
pid Process 2732 alg.exe 3412 DiagnosticsHub.StandardCollector.Service.exe 852 fxssvc.exe 4284 elevation_service.exe 3940 maintenanceservice.exe 4784 msdtc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1815711207-1844170477-3539718864-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1815711207-1844170477-3539718864-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\X: alg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File created \??\c:\windows\system32\diagsvcs\enmpdnjh.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\aneegkce.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\pmkahnal.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\dllhost.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File created \??\c:\windows\syswow64\momeeckg.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\opfepdpj.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\fxssvc.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File created \??\c:\windows\system32\kfcbdjhn.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\locator.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\cphdebcb.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\spectrum.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\bpmchckd.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\bppaopln.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\Appvclient.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\msdtc.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\openssh\ihfmplbm.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\pcebgkmf.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\svchost.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File created \??\c:\windows\system32\perceptionsimulation\holemeom.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\lsass.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\Agentservice.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\alg.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe alg.exe File created \??\c:\windows\system32\bjqchpbi.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File created \??\c:\windows\system32\cnpmlmpp.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\llificmh.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\vssvc.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\jibjgnjl.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\khchloeg.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\vds.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File created \??\c:\windows\system32\dljginem.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File created C:\Program Files\7-Zip\gkooamha.tmp alg.exe File created \??\c:\program files\google\chrome\Application\106.0.5249.119\ldbbfbfa.tmp alg.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File created \??\c:\program files\common files\microsoft shared\source engine\jjfbblnd.tmp alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File created C:\Program Files\7-Zip\nccafaqk.tmp alg.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\gpmlnkdg.tmp alg.exe File created C:\Program Files\7-Zip\cedpmnkl.tmp alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created \??\c:\program files (x86)\mozilla maintenance service\bjjjdjeo.tmp 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File created C:\Program Files\7-Zip\jgpijieg.tmp alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 8ba993d8a5d0e8d2241b6792ef52604c.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe 2732 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4996 8ba993d8a5d0e8d2241b6792ef52604c.exe Token: SeTakeOwnershipPrivilege 2732 alg.exe Token: SeAuditPrivilege 852 fxssvc.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba993d8a5d0e8d2241b6792ef52604c.exe"C:\Users\Admin\AppData\Local\Temp\8ba993d8a5d0e8d2241b6792ef52604c.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2732
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2288
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:852
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4284
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3940
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
613KB
MD5efe669122a7f677bfa680181b9f23bd8
SHA1a44b2e8380b227716659c9fb97fcc9db5c21f3d0
SHA256b9727ec3648cd892d551ffb23caf070e90432474b586e6bb8d79997b5fc8a4e8
SHA512c110b19785bc919fc71670f1040913c43facd351c2c7b0463c86004908c36a4a1607c1c7126fb69db3d6bb415edde80448b0759285f6ef24640b825729da33e1
-
Filesize
2.0MB
MD547c4667f4bf7334f62b9fb9a111c82f0
SHA105536f95257ce0ae557f53679614869fc4ec32db
SHA256d71efe015df734551ee7a61b27dd869951302d0a6c3e01d4ad127a2242ede3e0
SHA51279640f77a75e80bfe6baeae40c28136b98b9e5d91f6e1ab3d5ce916f6eaab04257025c3fa30e04c6fb95942f362c068b54bc6d3b6d1a7fe3b696890babe60647
-
Filesize
678KB
MD59dea9417bf1f007ad7bbacac06fb384f
SHA190a31e46792c1b18edfa94640f27be8d93e79757
SHA256fe19f954b4f1ba627a380cd67b7cc273e3cf7c7fb37e0f12832af4ea2d71078a
SHA51228da4e18144e00cd125233ee7c29bc143723515d9b85cdcdd35493267b4ee062fb73b697acbe744fc3176ce417e2aef24c75a6c112df0f42422a01f5cf7c259a
-
Filesize
487KB
MD5dda94445fa698f2113b6eba7a5d5a7d8
SHA132db08fef4a45e7a723d7aeed20f416fa823a222
SHA256f4bb5173a247c5e159daaf9749c473385392e4999df46e8cce47fad7babaa588
SHA512066d27862b0eea8e6ded4ecb63a380fe03f0d1e7f125b7fb4b471716892e3c2937e5d6b0b6aca43491f38fc8e03fe585d60b75c484c9fae6dcfc9ee7d4698ce7
-
Filesize
1.0MB
MD53043629b5898f7d4d023cb632ded1b7b
SHA1a646512c5de0dcd52168c2214fc56c817827a8a2
SHA25678f5755ad7ae9f207a579bc44eed3998ee8ee2d7eac0a34b0cc5d98bdef39d0d
SHA512432914c6a223c2975cae1b778640b0ac7ec586dc5c2a5972f8f0eca53472d02b3ac645ead0af829bfa3ead69141fb82ae47ef8609c201f14de3c64db21bae494
-
Filesize
489KB
MD55107d47c4140dabde142a58070adcecb
SHA15e845a087272b9ecc5fe925fcedadc972ca95518
SHA256f6fef7194ad06064fae10ab1333b38f079bf8345b38897ef68f3c00e8082a3a7
SHA512912acef356e9d044173896c03c17f1ab9b1a628087a20e653a6f635f4b03e4c0724545678baa3da3eac223e8d341619481fc4cd3c91544cc8ad05dc7c1ce3542
-
Filesize
395KB
MD59fde7bdd5c0549bb855fb3a049042424
SHA1c5e03984b519a36396a7611ac712d86db5719430
SHA2562251a2e5dd81741d872c3457084dfa600f36733c4898c9c9867751668912b7ae
SHA512922313151dba3d203c40432b9379b3403e212b16d4bef84124ff0b1e8044327b96a85cae4b2ab1d73d1f4f6089425836ca0696fa940ed8cc92acea67c4023e8d
-
Filesize
637KB
MD5581e9997b52fedee09b18e3066c204ba
SHA15f4f6a8b4c13dd57c3ac8b2fcae091a991ab2e9e
SHA256b0028fa660591894d448d5e93adb240adc9c49085327c663c7ee80dbdab048e7
SHA512ebc40491020653274b97cb64e6149ebf2af5d67adb177b5b6eb4ba26e6f2a1899711e73ef9816699eaefb4a51e0bf3c673415ef477baa203a51b5905985769fd
-
Filesize
1.3MB
MD5ba795d296389885cf292d3070bd6cdc5
SHA12c1f4048c59ea8ed30daa52ade55e8cf3b1485dc
SHA2568be5193f73e8cdf1ef1f582a055312bc6c0a453c0bc0442605d08bb45f7ad79a
SHA512464694efb58bef664f2ea8d911a3bfaea9d03ddaf4ffdbcc31e69a1b186d85f40c65e256c8335f1dadb9e275e9c9697d9ad8f5e6824bb4b6f916159ea9f8d240
-
Filesize
1.1MB
MD5370c04bb65be89f6a6150afe48c8c8a8
SHA101bc117a15024ce7bee0e7fae901e212e3c5e9c0
SHA256e52a69e9393f5007db1982879745828b964b288421a4a7dbd46d74b7e9303165
SHA51206cd01e1c00afdaf7a0820a2daf20b48cf15af967f79737b8ba4633475b1eac89fd776721407331e5f674ae4c1230afc95b65d48cdd62a008720548d996b80ef