Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:56
Behavioral task
behavioral1
Sample
b24bc3cc5f6728b3b6bfb9046b29bbc0.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b24bc3cc5f6728b3b6bfb9046b29bbc0.exe
Resource
win10v2004-20240226-en
General
-
Target
b24bc3cc5f6728b3b6bfb9046b29bbc0.exe
-
Size
187KB
-
MD5
b24bc3cc5f6728b3b6bfb9046b29bbc0
-
SHA1
fe98a682de25f40f503bb92cf876da7ca3dad2e8
-
SHA256
cf4b8fc8fc92c23553fe0179cdb1e0af748a1d4edd044ef5bdd9e7815aeaa94b
-
SHA512
3a767bc2231730e8e5e5cb34a521b3848d4dfce4194e112bf091a9deb818730b69f3f65afb5bdbc3483734933205fc5211abb8886eef6291a8d45eec9bfcdb39
-
SSDEEP
3072:mu8zBoOjWRUfy/IDEzg7/lthwM0cGkjvc4USEtJ4g25bICav1y55LUOL:781rBfPj79vRTiJ4dwMHLZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2528 migynie.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe -
resource yara_rule behavioral1/memory/2320-0-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/files/0x000c0000000144e0-5.dat upx behavioral1/memory/2320-11-0x0000000000480000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2528-13-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{87F5250B-9BBC-C29E-3CF7-F181BB6081D5} = "C:\\Users\\Admin\\AppData\\Roaming\\Orb\\migynie.exe" migynie.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2320 set thread context of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 1360 900 WerFault.exe 30 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Privacy b24bc3cc5f6728b3b6bfb9046b29bbc0.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" b24bc3cc5f6728b3b6bfb9046b29bbc0.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4BA35E5F-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe 2528 migynie.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeLoadDriverPrivilege 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe Token: SeLoadDriverPrivilege 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe Token: SeSecurityPrivilege 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe Token: SeLoadDriverPrivilege 2528 migynie.exe Token: SeLoadDriverPrivilege 2528 migynie.exe Token: SeSecurityPrivilege 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe Token: SeSecurityPrivilege 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe Token: SeManageVolumePrivilege 2200 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2200 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2200 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2200 WinMail.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2528 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 28 PID 2320 wrote to memory of 2528 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 28 PID 2320 wrote to memory of 2528 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 28 PID 2320 wrote to memory of 2528 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 28 PID 2528 wrote to memory of 1120 2528 migynie.exe 19 PID 2528 wrote to memory of 1120 2528 migynie.exe 19 PID 2528 wrote to memory of 1120 2528 migynie.exe 19 PID 2528 wrote to memory of 1120 2528 migynie.exe 19 PID 2528 wrote to memory of 1120 2528 migynie.exe 19 PID 2528 wrote to memory of 1180 2528 migynie.exe 20 PID 2528 wrote to memory of 1180 2528 migynie.exe 20 PID 2528 wrote to memory of 1180 2528 migynie.exe 20 PID 2528 wrote to memory of 1180 2528 migynie.exe 20 PID 2528 wrote to memory of 1180 2528 migynie.exe 20 PID 2528 wrote to memory of 1208 2528 migynie.exe 21 PID 2528 wrote to memory of 1208 2528 migynie.exe 21 PID 2528 wrote to memory of 1208 2528 migynie.exe 21 PID 2528 wrote to memory of 1208 2528 migynie.exe 21 PID 2528 wrote to memory of 1208 2528 migynie.exe 21 PID 2528 wrote to memory of 1788 2528 migynie.exe 23 PID 2528 wrote to memory of 1788 2528 migynie.exe 23 PID 2528 wrote to memory of 1788 2528 migynie.exe 23 PID 2528 wrote to memory of 1788 2528 migynie.exe 23 PID 2528 wrote to memory of 1788 2528 migynie.exe 23 PID 2528 wrote to memory of 2320 2528 migynie.exe 27 PID 2528 wrote to memory of 2320 2528 migynie.exe 27 PID 2528 wrote to memory of 2320 2528 migynie.exe 27 PID 2528 wrote to memory of 2320 2528 migynie.exe 27 PID 2528 wrote to memory of 2320 2528 migynie.exe 27 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 2320 wrote to memory of 900 2320 b24bc3cc5f6728b3b6bfb9046b29bbc0.exe 30 PID 900 wrote to memory of 1360 900 cmd.exe 33 PID 900 wrote to memory of 1360 900 cmd.exe 33 PID 900 wrote to memory of 1360 900 cmd.exe 33 PID 900 wrote to memory of 1360 900 cmd.exe 33 PID 2528 wrote to memory of 356 2528 migynie.exe 31 PID 2528 wrote to memory of 356 2528 migynie.exe 31 PID 2528 wrote to memory of 356 2528 migynie.exe 31 PID 2528 wrote to memory of 356 2528 migynie.exe 31 PID 2528 wrote to memory of 356 2528 migynie.exe 31 PID 2528 wrote to memory of 1756 2528 migynie.exe 32 PID 2528 wrote to memory of 1756 2528 migynie.exe 32 PID 2528 wrote to memory of 1756 2528 migynie.exe 32 PID 2528 wrote to memory of 1756 2528 migynie.exe 32 PID 2528 wrote to memory of 1756 2528 migynie.exe 32 PID 2528 wrote to memory of 1360 2528 migynie.exe 33 PID 2528 wrote to memory of 1360 2528 migynie.exe 33 PID 2528 wrote to memory of 1360 2528 migynie.exe 33 PID 2528 wrote to memory of 1360 2528 migynie.exe 33 PID 2528 wrote to memory of 1360 2528 migynie.exe 33 PID 2528 wrote to memory of 960 2528 migynie.exe 34 PID 2528 wrote to memory of 960 2528 migynie.exe 34 PID 2528 wrote to memory of 960 2528 migynie.exe 34 PID 2528 wrote to memory of 960 2528 migynie.exe 34 PID 2528 wrote to memory of 960 2528 migynie.exe 34
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\b24bc3cc5f6728b3b6bfb9046b29bbc0.exe"C:\Users\Admin\AppData\Local\Temp\b24bc3cc5f6728b3b6bfb9046b29bbc0.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Roaming\Orb\migynie.exe"C:\Users\Admin\AppData\Roaming\Orb\migynie.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3ff78c9e.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1124⤵
- Program crash
PID:1360
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1788
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2200
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:356
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "844081993-6081219631111584295-7559794819973773571618947064-2044498055-157138060"1⤵PID:1756
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5e1414efcedc040cf4871696efc793eb3
SHA169e0a993b3eaa8c2eaa56bb0d10584b45836da67
SHA256cc79a6928501195301641617dd1e7c70d8302fe2e87be54168df65e89f43438e
SHA51243fffae49681a36f42fc57a825789fed16e82657d3da30804d9a3096c86c7181e43548fe3e7bdccf9f33b5113ca8382e22bb0c4551e0b8a0030e6cfa46bc8ec3
-
Filesize
366B
MD5e846373efe8c1bd2cd50b8d04f1dd6de
SHA103b2b04851b950a3fc4242e2bfcf142e63e94252
SHA256ba4f84d04e3abc01c8941343acdd7bfcf5e95f68e92ee866076251f0f2559065
SHA51249deb6921f2d5854b787ada4b1ffd19fc325cfc7c57478f254701e17e8f25624fd6c2fc85b3cfd0e7a8585e218fcc8013b0d060594e6cd1bf28484ca897f53b7
-
Filesize
187KB
MD53756e9988be9e35f3c32a568b7160f69
SHA11150543b7aac6ddf98e842ce00ae799ea5fa35f4
SHA2561b4610a3fe981be58a177dd11e6850e69dd7015e6619a36de9a9d50fd3c73f40
SHA5127b12b536b150f53903cda5256a762b5c0fc8ea674a9406c2ee0863ffb975ebe0b6d42eb2060f23252407a4c73655a54ffd5ad7a901d1599a6875dd54490adf4b