Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
94991507c04f29915d7afeb6a1ce2c0b.exe
Resource
win7-20231215-en
General
-
Target
94991507c04f29915d7afeb6a1ce2c0b.exe
-
Size
429KB
-
MD5
94991507c04f29915d7afeb6a1ce2c0b
-
SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d
-
SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
-
SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
-
SSDEEP
12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x
Malware Config
Extracted
gozi
Extracted
gozi
10030
jscallowallowallowjcli.me
disallowjscuserallow.pw
-
build
215790
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0x246640bb
-
exe_type
worker
-
server_id
12
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 94991507c04f29915d7afeb6a1ce2c0b.exe -
Deletes itself 1 IoCs
pid Process 4712 acpphema.exe -
Executes dropped EXE 1 IoCs
pid Process 4712 acpphema.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnstui = "C:\\Users\\Admin\\AppData\\Roaming\\adsltext\\acpphema.exe" 94991507c04f29915d7afeb6a1ce2c0b.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4712 set thread context of 5040 4712 acpphema.exe 88 PID 5040 set thread context of 3596 5040 svchost.exe 46 PID 3596 set thread context of 1364 3596 Explorer.EXE 58 PID 3596 set thread context of 4196 3596 Explorer.EXE 57 PID 3596 set thread context of 2868 3596 Explorer.EXE 66 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4712 acpphema.exe 4712 acpphema.exe 3596 Explorer.EXE 3596 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4712 acpphema.exe 5040 svchost.exe 3596 Explorer.EXE 3596 Explorer.EXE 3596 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 1364 RuntimeBroker.exe Token: SeShutdownPrivilege 1364 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3596 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1208 wrote to memory of 3004 1208 94991507c04f29915d7afeb6a1ce2c0b.exe 84 PID 1208 wrote to memory of 3004 1208 94991507c04f29915d7afeb6a1ce2c0b.exe 84 PID 1208 wrote to memory of 3004 1208 94991507c04f29915d7afeb6a1ce2c0b.exe 84 PID 3004 wrote to memory of 1636 3004 cmd.exe 86 PID 3004 wrote to memory of 1636 3004 cmd.exe 86 PID 3004 wrote to memory of 1636 3004 cmd.exe 86 PID 1636 wrote to memory of 4712 1636 cmd.exe 87 PID 1636 wrote to memory of 4712 1636 cmd.exe 87 PID 1636 wrote to memory of 4712 1636 cmd.exe 87 PID 4712 wrote to memory of 5040 4712 acpphema.exe 88 PID 4712 wrote to memory of 5040 4712 acpphema.exe 88 PID 4712 wrote to memory of 5040 4712 acpphema.exe 88 PID 4712 wrote to memory of 5040 4712 acpphema.exe 88 PID 4712 wrote to memory of 5040 4712 acpphema.exe 88 PID 5040 wrote to memory of 3596 5040 svchost.exe 46 PID 5040 wrote to memory of 3596 5040 svchost.exe 46 PID 5040 wrote to memory of 3596 5040 svchost.exe 46 PID 3596 wrote to memory of 1364 3596 Explorer.EXE 58 PID 3596 wrote to memory of 1364 3596 Explorer.EXE 58 PID 3596 wrote to memory of 1364 3596 Explorer.EXE 58 PID 3596 wrote to memory of 4196 3596 Explorer.EXE 57 PID 3596 wrote to memory of 4196 3596 Explorer.EXE 57 PID 3596 wrote to memory of 4196 3596 Explorer.EXE 57 PID 3596 wrote to memory of 2868 3596 Explorer.EXE 66 PID 3596 wrote to memory of 2868 3596 Explorer.EXE 66 PID 3596 wrote to memory of 2868 3596 Explorer.EXE 66
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe"C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB9C\65CE.bat" "C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe"C:\Users\Admin\AppData\Roaming\adsltext\acpphema.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5040
-
-
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD58c817d9cb6d422ccbfd3a55d173dbaef
SHA1bfe5c99c17e7b16db3cf61d37da61d6aa94eafd4
SHA25672ac87fcd48ff4ede7cd4c165f71b92ab3389f5b284cd430e7a6b04f7d3cdec2
SHA51264fa76bd99e8b5cdbe0137c662119ec1668cfaacb3f81013c37f24a80bd9f11e65deeb63ec9be013d6c7b700b815cbc274cbd92f0b29d34c15d80d62bb27f8ed
-
Filesize
429KB
MD594991507c04f29915d7afeb6a1ce2c0b
SHA1bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA2560369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0