Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-en -
resource tags
arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 16:50
Behavioral task
behavioral1
Sample
Patch.exe
Resource
win10v2004-20240220-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
Patch.exe
-
Size
2.2MB
-
MD5
2e97802dd27ecaedfd7b576afe9267cf
-
SHA1
1d4ddc971dc5ba6201b414d86e37b99523b0d85c
-
SHA256
220c8084bbed37f54fbba4c5d50d8ceeb3099bac0ef4041f56ab725678213abc
-
SHA512
0573bc870bdc7624ad76ad290988c82f511e6bfdf7e3805758b83c89b30da784bc83e224ca54210f21722d029d283d09fb918a387b92f6b0b45bb1c24e81f869
-
SSDEEP
49152:wIhpWDpUfZEOW6T9kxql+/XuGmvh1/1/485:wIhpxfuvI9Wq2erfq85
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000\Control Panel\International\Geo\Nation Patch.exe -
resource yara_rule behavioral1/memory/4012-0-0x0000000000400000-0x0000000000A4A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SketchUp.exe.bak Patch.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SketchUp.exe.bak Patch.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Patch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\1\0\0 Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 60003100000000005458704210004150504c49437e310000480009000400efbe54587042545870422e000000d32d020000000100000000000000000000000000000053d797004100700070006c00690063006100740069006f006e00000018000000 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\1\0 = 4e003100000000005458538030004564676500003a0009000400efbe055338b5545853802e000000e104000000000100000000000000000000000000000049e60f014500640067006500000014000000 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\1\MRUListEx = 00000000ffffffff Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 0000000000000000000000000000000000000000 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 980031000000000054589342110050524f4752417e320000800009000400efbe874fdb49545893422e000000c30400000000010000000000000000005600000000007a3cc900500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 540031000000000054586d421000476f6f676c6500003e0009000400efbe54586d4254586d422e000000622d020000000100000000000000000000000000000091a2010047006f006f0067006c006500000016000000 Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\NodeSlot = "2" Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\1 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 0100000000000000ffffffff Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Patch.exe Key created \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-4023562663-3911442808-1494947993-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Patch.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4012 Patch.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4012 Patch.exe 4012 Patch.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe 4012 Patch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Patch.exe"C:\Users\Admin\AppData\Local\Temp\Patch.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4012
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4832