Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/02/2024, 23:22
240221-3cw62sha56 121/02/2024, 23:19
240221-3a76jaha43 421/02/2024, 23:19
240221-3axd2aha42 121/02/2024, 18:19
240221-wx9vbade42 8Analysis
-
max time kernel
119s -
max time network
78s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
21/02/2024, 23:19
Static task
static1
Behavioral task
behavioral1
Sample
Set-up.exe
Resource
win10-20240221-en
windows10-1703-x64
10 signatures
150 seconds
General
-
Target
Set-up.exe
-
Size
7.3MB
-
MD5
bc0672307ff08325dc4348c89bdc8999
-
SHA1
45e37b595ac1b3ce6e3f6b6c12a9fa9c846addb4
-
SHA256
24d2666c00ecd02350af0d70c8a9b71ed2bf0ce2553e61506fc1cbba0a9156b3
-
SHA512
406c11bd4dbda325ee679f235988e8d1643d99de4dfd648d471857eee4892001011ffcc3fb9d1cda3161bce4fda70dcb2e5e3f1c5fd9e75091d49a6954864728
-
SSDEEP
98304:Rz16s9EwkidrwQwPdz9u/ZZmDZJErFXQbZT7wIX0k5:Rz16gBrd3gu/XmDZiF0tH
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Set-up.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" Set-up.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Set-up.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Set-up.exe -
Runs regedit.exe 1 IoCs
pid Process 2160 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3536 taskmgr.exe Token: SeSystemProfilePrivilege 3536 taskmgr.exe Token: SeCreateGlobalPrivilege 3536 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3912 Set-up.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe 3536 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2160 2220 cmd.exe 78 PID 2220 wrote to memory of 2160 2220 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:3912
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3536
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\regedit.exeregedit2⤵
- Runs regedit.exe
PID:2160
-