Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 13:49
Behavioral task
behavioral1
Sample
b248bcbdbe526815338780a4bff07396.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b248bcbdbe526815338780a4bff07396.exe
Resource
win10v2004-20240226-en
General
-
Target
b248bcbdbe526815338780a4bff07396.exe
-
Size
54KB
-
MD5
b248bcbdbe526815338780a4bff07396
-
SHA1
d3cf32de841b69a366ff21b17f81acf835f1e243
-
SHA256
f94a26ecbd6c5f4d9a419787eb8a2c1e53e3f994df5d9d1f4664a8142ca262b5
-
SHA512
f40f3bf86eb0a8b4dee7cb9b9e58b8b2094fd3ece9d129b1514330004fdbd430596484c8537deaec9c5be319619799aef1a17fe4a4432faf97e26418c9acc629
-
SSDEEP
1536:bgCZucC+ne/6LyRa85FBcVpm7XqsPnwUB:bgCZA+rLUrBUpEb4k
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\services b248bcbdbe526815338780a4bff07396.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\ymhkfg b248bcbdbe526815338780a4bff07396.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ymhkfg\StubPath = "C:\\Windows\\system32\\ymhkfg.exe" b248bcbdbe526815338780a4bff07396.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b248bcbdbe526815338780a4bff07396.exe -
Deletes itself 1 IoCs
pid Process 5060 utbc.exe -
Executes dropped EXE 1 IoCs
pid Process 5060 utbc.exe -
resource yara_rule behavioral2/memory/5072-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x000800000002325d-5.dat upx behavioral2/memory/5072-12-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5060-13-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Flower = "C:\\Windows\\system32\\utbc.exe" b248bcbdbe526815338780a4bff07396.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\utbc.exe b248bcbdbe526815338780a4bff07396.exe File opened for modification C:\Windows\SysWOW64\utbc.exe b248bcbdbe526815338780a4bff07396.exe File created C:\Windows\SysWOW64\ymhkfg.exe b248bcbdbe526815338780a4bff07396.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeSystemtimePrivilege 5072 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 5072 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 5072 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 5072 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 5072 b248bcbdbe526815338780a4bff07396.exe Token: SeSystemtimePrivilege 5072 b248bcbdbe526815338780a4bff07396.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5072 wrote to memory of 5060 5072 b248bcbdbe526815338780a4bff07396.exe 97 PID 5072 wrote to memory of 5060 5072 b248bcbdbe526815338780a4bff07396.exe 97 PID 5072 wrote to memory of 5060 5072 b248bcbdbe526815338780a4bff07396.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b248bcbdbe526815338780a4bff07396.exe"C:\Users\Admin\AppData\Local\Temp\b248bcbdbe526815338780a4bff07396.exe"1⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\utbc.exe"C:\Windows\system32\utbc.exe" 0C:\Users\Admin\AppData\Local\Temp\b248bcbdbe526815338780a4bff07396.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5b248bcbdbe526815338780a4bff07396
SHA1d3cf32de841b69a366ff21b17f81acf835f1e243
SHA256f94a26ecbd6c5f4d9a419787eb8a2c1e53e3f994df5d9d1f4664a8142ca262b5
SHA512f40f3bf86eb0a8b4dee7cb9b9e58b8b2094fd3ece9d129b1514330004fdbd430596484c8537deaec9c5be319619799aef1a17fe4a4432faf97e26418c9acc629