Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 06:35
Static task
static1
Behavioral task
behavioral1
Sample
a12f69255b91e8b44c0e9669a79b5892.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a12f69255b91e8b44c0e9669a79b5892.exe
Resource
win10v2004-20240221-en
General
-
Target
a12f69255b91e8b44c0e9669a79b5892.exe
-
Size
441KB
-
MD5
a12f69255b91e8b44c0e9669a79b5892
-
SHA1
be099758c080b89c52169ca7cf2e5232c6c79455
-
SHA256
3da928f0eff88dddb363a32469f8ec1e908f1bdcad8be40f786a06a0eaeb9785
-
SHA512
d81594ae69d6459df12ad180ca310a411fb0d634048a3737482701fcb02acd3fc166ab26c486c9d22f28cbd18b4af4a678cf0140259bbd1441a2cd51759ad1ec
-
SSDEEP
12288:NUFdYk7h/6hgTv3TGEGwIUdtLDT0OHev/XUz:mFl6hgTawvP1HiXUz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation a12f69255b91e8b44c0e9669a79b5892.exe -
Executes dropped EXE 7 IoCs
pid Process 4672 cb.exe 2332 1EuroP.exe 5116 2IC.exe 4048 3E4U - Bucks.exe 1244 6tbp.exe 1384 IR.exe 4324 m5bw8pr.exe -
Loads dropped DLL 1 IoCs
pid Process 3068 rundll32.exe -
resource yara_rule behavioral2/memory/4048-72-0x0000000000BB0000-0x0000000000BE0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfeveraxifo = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\rowsct.dll\",Startup" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\741b = "C:\\Users\\Admin\\AppData\\Roaming\\m5bw8pr.exe" IR.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IR.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\physicaldrive0 2IC.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1712 sc.exe 1984 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1332 4048 WerFault.exe 92 -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 5116 2IC.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1244 6tbp.exe 3068 rundll32.exe 1384 IR.exe 1384 IR.exe 1384 IR.exe 4324 m5bw8pr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2328 wrote to memory of 4672 2328 a12f69255b91e8b44c0e9669a79b5892.exe 88 PID 2328 wrote to memory of 4672 2328 a12f69255b91e8b44c0e9669a79b5892.exe 88 PID 2328 wrote to memory of 4672 2328 a12f69255b91e8b44c0e9669a79b5892.exe 88 PID 2328 wrote to memory of 2332 2328 a12f69255b91e8b44c0e9669a79b5892.exe 90 PID 2328 wrote to memory of 2332 2328 a12f69255b91e8b44c0e9669a79b5892.exe 90 PID 2328 wrote to memory of 2332 2328 a12f69255b91e8b44c0e9669a79b5892.exe 90 PID 2328 wrote to memory of 5116 2328 a12f69255b91e8b44c0e9669a79b5892.exe 91 PID 2328 wrote to memory of 5116 2328 a12f69255b91e8b44c0e9669a79b5892.exe 91 PID 2328 wrote to memory of 5116 2328 a12f69255b91e8b44c0e9669a79b5892.exe 91 PID 2328 wrote to memory of 4048 2328 a12f69255b91e8b44c0e9669a79b5892.exe 92 PID 2328 wrote to memory of 4048 2328 a12f69255b91e8b44c0e9669a79b5892.exe 92 PID 2328 wrote to memory of 4048 2328 a12f69255b91e8b44c0e9669a79b5892.exe 92 PID 2328 wrote to memory of 1244 2328 a12f69255b91e8b44c0e9669a79b5892.exe 95 PID 2328 wrote to memory of 1244 2328 a12f69255b91e8b44c0e9669a79b5892.exe 95 PID 2328 wrote to memory of 1244 2328 a12f69255b91e8b44c0e9669a79b5892.exe 95 PID 2328 wrote to memory of 1384 2328 a12f69255b91e8b44c0e9669a79b5892.exe 94 PID 2328 wrote to memory of 1384 2328 a12f69255b91e8b44c0e9669a79b5892.exe 94 PID 2328 wrote to memory of 1384 2328 a12f69255b91e8b44c0e9669a79b5892.exe 94 PID 1244 wrote to memory of 3068 1244 6tbp.exe 97 PID 1244 wrote to memory of 3068 1244 6tbp.exe 97 PID 1244 wrote to memory of 3068 1244 6tbp.exe 97 PID 1384 wrote to memory of 3716 1384 IR.exe 105 PID 1384 wrote to memory of 3716 1384 IR.exe 105 PID 1384 wrote to memory of 3716 1384 IR.exe 105 PID 1384 wrote to memory of 1984 1384 IR.exe 104 PID 1384 wrote to memory of 1984 1384 IR.exe 104 PID 1384 wrote to memory of 1984 1384 IR.exe 104 PID 1384 wrote to memory of 2560 1384 IR.exe 101 PID 1384 wrote to memory of 2560 1384 IR.exe 101 PID 1384 wrote to memory of 2560 1384 IR.exe 101 PID 1384 wrote to memory of 1712 1384 IR.exe 103 PID 1384 wrote to memory of 1712 1384 IR.exe 103 PID 1384 wrote to memory of 1712 1384 IR.exe 103 PID 1384 wrote to memory of 4324 1384 IR.exe 102 PID 1384 wrote to memory of 4324 1384 IR.exe 102 PID 1384 wrote to memory of 4324 1384 IR.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12f69255b91e8b44c0e9669a79b5892.exe"C:\Users\Admin\AppData\Local\Temp\a12f69255b91e8b44c0e9669a79b5892.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\cb.exe"C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\cb.exe"2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\1EuroP.exe"C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\1EuroP.exe"2⤵
- Executes dropped EXE
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\2IC.exe"C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\2IC.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\3E4U - Bucks.exe"C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\3E4U - Bucks.exe"2⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 5163⤵
- Program crash
PID:1332
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\IR.exe"C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\IR.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵PID:2560
-
-
C:\Users\Admin\AppData\Roaming\m5bw8pr.exeC:\Users\Admin\AppData\Roaming\m5bw8pr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
PID:1712
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
PID:1984
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵PID:3716
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf3⤵PID:3484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\um1uox4ss.bat3⤵PID:2284
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\6tbp.exe"C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\6tbp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\rowsct.dll",Startup3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4048 -ip 40481⤵PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5c78858a5387f9e6039052337a60e1c9f
SHA164a4f563660b237d7979842aee3e0e814bdf6dc3
SHA256585198c25b353243c10aaf423bd38b274e1acd3e3b82f589e310bb611f249b0c
SHA5122cc1e2eaea5cc9738f2dbd3e11652b06a0043576f1824b7971a9d3181b7038eeb06af69cdacbe31ecbb7bd3ec5947001ea0e955bb2458b099c2e7717e4ef8eec
-
Filesize
176KB
MD50833072c350b80d75b41350eaa91b8f9
SHA17da1f4489ce39df76ab3962dec2c0b2494eba5bf
SHA256139adf83da42f7d18c83a27f0bb7d9e8d5515c60acb549cd8df6f1bef40906c7
SHA5121743aff9b711712fbe1591682c01bbcc9786ed5a3f172cd54468b79799f43c6fbeae604c94c780e63354cd7e9d904c4757c0602014fb5493b2c55bb816cd43d5
-
Filesize
27KB
MD55f6c6b5e491ac60e088adba6dd5791c2
SHA1292f4b81b3eee53877c672faf540aceeb2fc881f
SHA256b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018
SHA51259c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252
-
Filesize
120KB
MD59cea92b564d09997cef7769eb6364a74
SHA19cb90c8baa2e22381086da6c7d89f04610a47cfe
SHA256939dc43e2355d0a478de8f0770652093f63c28c49d86abdaaa9f20ae48d6137d
SHA5124e186f6f7825ff8230f3073560dc26a339c20b08c0f03413b12075fc861200a581e68df96c9801af3d33f30f6c773a05318238822abe9cd171f00d2f736a85bb
-
Filesize
176KB
MD5249805102fbd08d7fb9b47499ad25479
SHA1ee28f439b5dc814eec561d77e6d1285640d5cc4e
SHA256fb47245c821a1aaf9ea6dfc0dffecf478614dc7c88e119695af940c2a2f35eb4
SHA512e6a2b866fe40395ae74c7a5339e52ba90132122a62f1c0c778c3488f77b2017e47c86f7714f92ae2fae1196feddafb9d4932f0914f7ecc50c66e65ebb0ac5608
-
Filesize
3KB
MD546e07fd3a40760fda18cf6b4fc691742
SHA153ee1a754bf5e94fa88a6ab8bb6120b4011afcfa
SHA256bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be
SHA512ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd
-
Filesize
120KB
MD50fddb4583534718972194a1ded2206e6
SHA156f4b709ce11e595c168e9612b26fd9f606b0e59
SHA256b2057cc655156cf142995d137c860ae69ec1134a20d180ea94d135788151b822
SHA51235a24f8962779c578d5dfb09cb94f97fb04acfe1e922af2a9da38ce408e738fd52a581c10cf751188b5a49d9eb5d1d0a751b848f3f28b42b63ed6ad96f6dcd5d
-
Filesize
64KB
MD559d8f5392bd0f05aaec5935fd0f2a066
SHA1910b7ce7cf4d236e073243bd2757b47d6f93fcb6
SHA25639b9e0936c0ca101b3075ccd3ba7879dbee2b96b112c2d24e963cec174516186
SHA512d487d4d2c4e614871aa8075347af7d453a50f19199539a2357607bf4eea15600c073653436f517a493049fe980535fd402371290643f0660d5cb283f1aa46faa