Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2024, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
9b1fbfd63513103ee14c85f72db99c96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9b1fbfd63513103ee14c85f72db99c96.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
9b1fbfd63513103ee14c85f72db99c96.exe
-
Size
685KB
-
MD5
9b1fbfd63513103ee14c85f72db99c96
-
SHA1
83df19cfd98ff18cde9a5335f00c96b87ba64284
-
SHA256
cf29a82a5b1592480fef0ef8f5a3ccc49721cebd64bfc0932a2709eeecaffd13
-
SHA512
06a70b75a69d8f38ebf87fadb377dab34c5306a87fa352eddd1c39528456f286f37189f4190a62f2d388b8de937414a217f17bd7168ee31f713d27f270c25123
-
SSDEEP
12288:3rJ7482eDChzUlPY7oMDmzZ0FDAhCF3Z4mxxqi4Fv81knkstG:7Jk82e+ax1MDs0FDAUQmXtRku
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3860 SERVER~1.EXE 1864 Hacker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9b1fbfd63513103ee14c85f72db99c96.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.exe SERVER~1.EXE File opened for modification C:\Windows\Hacker.exe SERVER~1.EXE File created C:\Windows\uninstal.bat SERVER~1.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3860 SERVER~1.EXE Token: SeDebugPrivilege 1864 Hacker.exe Token: SeShutdownPrivilege 1084 9b1fbfd63513103ee14c85f72db99c96.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1864 Hacker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2604 LogonUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1084 wrote to memory of 3860 1084 9b1fbfd63513103ee14c85f72db99c96.exe 83 PID 1084 wrote to memory of 3860 1084 9b1fbfd63513103ee14c85f72db99c96.exe 83 PID 1084 wrote to memory of 3860 1084 9b1fbfd63513103ee14c85f72db99c96.exe 83 PID 3860 wrote to memory of 3692 3860 SERVER~1.EXE 85 PID 3860 wrote to memory of 3692 3860 SERVER~1.EXE 85 PID 3860 wrote to memory of 3692 3860 SERVER~1.EXE 85 PID 1864 wrote to memory of 4480 1864 Hacker.exe 86 PID 1864 wrote to memory of 4480 1864 Hacker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe"C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:3692
-
-
-
C:\Windows\Hacker.exeC:\Windows\Hacker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:4480
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3989855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743KB
MD5b2e9487a4c2f70600bb28e6dccd8ffeb
SHA11044b1d7151381f734e243b453742dba00f64f84
SHA256f00029218cf5e01fd386fc84a854d39bd35068cffe0035104832836428f0a207
SHA512d89b77770cab9cac697ca193aa42271c8d7cf7e09a1e3c6231db957d44d753b521b09a862294fee96ac0ea85c207d1a8a005317081c072df8332f22530245105
-
Filesize
164B
MD5924ea7ae6df752587469376459875c51
SHA1ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1
SHA25646c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09
SHA512ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35