Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/02/2024, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
Alice.exe
Resource
win11-20240221-en
General
-
Target
Alice.exe
-
Size
9.7MB
-
MD5
6a921995816cd918c176f2c87e262fd4
-
SHA1
4e5b8566f482967525959d7d75b7c06cb6330471
-
SHA256
5892da50e6a0f664b4d241beefa04c72b9669a47cf4ae687164ee6160f025778
-
SHA512
1482acc37e1f599d78ef20e084cce7fb4506f3fe0f6fe3963888caca0c626a94a86c6f287c6abe680d70fe82c2aafff8ad0361dfe91e43cb5b6b4fe9b45332b1
-
SSDEEP
49152:/GFNm48iZ3mvlr03+ufKo9jmc6s3lA353agB2nFE2PA2wkigOGTd4nrh8dDeblY4:/GFuo9jT6M2JiBIQYo4MoD+Fv9xIa3y
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\MuiCache GameBar.exe Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1101742937-4171729779-750941522-1000\{00DCC5ED-90DE-408D-9214-0886DC0B96BD} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1101742937-4171729779-750941522-1000\{8AC1726A-5FA7-4FAE-8844-0850E9E62CDA} svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3148 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1564 GameBar.exe 1004 MiniSearchHost.exe 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE 3148 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Alice.exe"C:\Users\Admin\AppData\Local\Temp\Alice.exe"1⤵PID:2688
-
C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
PID:4788
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\PingPop.xltm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5e7287dd4e71a21e10194c99cc8ccd823
SHA1d12b4151bb25ca694ad8098751b4918129c322ac
SHA2569c3bad374f6b813d2d3393e29f7e9aaca5404a001e521746d21fe7ced190f27c
SHA512e76c126fb4f111e78772ee65afb4a06ff74d4c56432a4aa3f6c9680a0e832c257285e68f2b09e4513b4d4ca3169d865e375caa20dca32648d81010394c0c8c21
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5a48ea8097f0b11ffec74b86a72f827bb
SHA174018e4ad58d07aefa0f9cf14ad83d8738b712f6
SHA256f927b288c82bf61a078b38c7226df71cf935eb9f4115779ae60f345d3caa0291
SHA5127d732085d9c178c55d22d8b1146a196002974775e826d60bdcf27e0e7cb2c00e32de925e3fe2fc31a27476a31c81c4acf5df68b207bfdef4f00165a4b6b8dbbc
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c