Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
8c715b595c817d0329225d6ac38f589c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8c715b595c817d0329225d6ac38f589c.exe
Resource
win10v2004-20231222-en
General
-
Target
8c715b595c817d0329225d6ac38f589c.exe
-
Size
1.4MB
-
MD5
8c715b595c817d0329225d6ac38f589c
-
SHA1
7f4fd357056b846cf0ba7d27af3b9cbb59f18fa9
-
SHA256
e46615f5b0889ce0e5ad823d3d9ac0cb096765ce42c57d48ab33a85d341ad1e0
-
SHA512
9da7288367be001fd951335841d8ded0d1bcf41c15a41dae521cf28c30bfd080121f7899885bca06dd34f2679dd9d94d521a147ca482d1cf52a6c9c68f27c9e4
-
SSDEEP
24576:wL0mqdRkD33/hnheiisfPxREPu3sjleyqULE1XOu6JPX3Jmj:wolODnreAfJREze7/XOdpnU
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts services.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 8c715b595c817d0329225d6ac38f589c.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe services.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe services.exe -
Executes dropped EXE 1 IoCs
pid Process 4196 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows OS = "C:\\Program Files\\Internet Explorer\\services.exe" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows OS = "C:\\Program Files\\Internet Explorer\\services.exe" services.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 8c715b595c817d0329225d6ac38f589c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum services.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8c715b595c817d0329225d6ac38f589c.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\ID.Conf services.exe File opened for modification C:\Program Files\Internet Explorer\services.exe services.exe File created C:\Program Files\Internet Explorer\services.exe 8c715b595c817d0329225d6ac38f589c.exe File opened for modification C:\Program Files\Internet Explorer\services.exe 8c715b595c817d0329225d6ac38f589c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4056 8c715b595c817d0329225d6ac38f589c.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe 4196 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4056 8c715b595c817d0329225d6ac38f589c.exe Token: SeDebugPrivilege 4196 services.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4056 wrote to memory of 4196 4056 8c715b595c817d0329225d6ac38f589c.exe 94 PID 4056 wrote to memory of 4196 4056 8c715b595c817d0329225d6ac38f589c.exe 94 PID 4196 wrote to memory of 5072 4196 services.exe 96 PID 4196 wrote to memory of 5072 4196 services.exe 96 PID 5072 wrote to memory of 1824 5072 cmd.exe 97 PID 5072 wrote to memory of 1824 5072 cmd.exe 97 PID 1824 wrote to memory of 4748 1824 net.exe 98 PID 1824 wrote to memory of 4748 1824 net.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c715b595c817d0329225d6ac38f589c.exe"C:\Users\Admin\AppData\Local\Temp\8c715b595c817d0329225d6ac38f589c.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files\Internet Explorer\services.exe"C:\Program Files\Internet Explorer\services.exe"2⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c net stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\net.exenet stop "Security Center"4⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:4748
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Program Files\Internet Explorer\services.exe"1⤵
- Modifies registry class
PID:4844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58c715b595c817d0329225d6ac38f589c
SHA17f4fd357056b846cf0ba7d27af3b9cbb59f18fa9
SHA256e46615f5b0889ce0e5ad823d3d9ac0cb096765ce42c57d48ab33a85d341ad1e0
SHA5129da7288367be001fd951335841d8ded0d1bcf41c15a41dae521cf28c30bfd080121f7899885bca06dd34f2679dd9d94d521a147ca482d1cf52a6c9c68f27c9e4
-
Filesize
925KB
MD533782b9fd123881c21dc56a4cc07c3ae
SHA105cc7d21bc15bab843697b1471cda97dce17610d
SHA25644db9181293c9780d8618fc4bde48c93e9434e0324cb20dd660b04c757a59d83
SHA512cb1bd816ea2cae9ebd68122fca1f299a8fbc2481fde97e5bfdc0456b722e8baf9738acf567cfae8962844ddcce5c069a9c4b8432db98b510e78907ff049d6710
-
Filesize
650KB
MD5622328cba93f08605f2c88f8d5c4393e
SHA16f2de906b90163b261719de7e06feb3a274e5220
SHA2563d200780b1ca6518ce1039bef37712efee8287cf968f40022db446f6089f56e9
SHA512487f71233a397487a26ade53020f600c46bfa09efc8e48f6ddcae93583ea30260bdcd2c41891219800e05c029dc113e23c89e8d042ba9495320860c8ad95ce92