Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
b4b7bb8f2d66b1694ffd5c510d0a243b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b4b7bb8f2d66b1694ffd5c510d0a243b.exe
Resource
win10v2004-20240226-en
General
-
Target
b4b7bb8f2d66b1694ffd5c510d0a243b.exe
-
Size
158KB
-
MD5
b4b7bb8f2d66b1694ffd5c510d0a243b
-
SHA1
73b6a556d403c45137cc1f9401092d450b488868
-
SHA256
efb6103147d123a4c99b751d58a420d42fbbfb726bc1093a2b1bf188b1b81c23
-
SHA512
c9a41f407a6f0055f6e12f3fd1d03b1cd502c7496238811f6cb53e4ec922d4880f8136239deb8b33551dd94fefc86648d419653012c039067ae9b79632996cd1
-
SSDEEP
3072:mU01A7ku2d2eBknZAIW4z73N/RnX4eC5EGtpcv6k3:mPZ/d2Kmnz5RnorEGtTk3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3448 A7350D82BCA.exe 1328 Hjd22D5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWWWVA1I9G8UXV5YEKQBFLEJWE = "C:\\servi3e.bin\\A7350D82BCA.exe /q" Hjd22D5.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\PhishingFilter Hjd22D5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" Hjd22D5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" Hjd22D5.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery Hjd22D5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" Hjd22D5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 3448 A7350D82BCA.exe 3448 A7350D82BCA.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe 1328 Hjd22D5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe Token: SeDebugPrivilege 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe Token: SeDebugPrivilege 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe Token: SeDebugPrivilege 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe Token: SeDebugPrivilege 3448 A7350D82BCA.exe Token: SeDebugPrivilege 3448 A7350D82BCA.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe Token: SeDebugPrivilege 1328 Hjd22D5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1764 wrote to memory of 3448 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 97 PID 1764 wrote to memory of 3448 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 97 PID 1764 wrote to memory of 3448 1764 b4b7bb8f2d66b1694ffd5c510d0a243b.exe 97 PID 3448 wrote to memory of 1328 3448 A7350D82BCA.exe 98 PID 3448 wrote to memory of 1328 3448 A7350D82BCA.exe 98 PID 3448 wrote to memory of 1328 3448 A7350D82BCA.exe 98 PID 3448 wrote to memory of 1328 3448 A7350D82BCA.exe 98 PID 3448 wrote to memory of 1328 3448 A7350D82BCA.exe 98 PID 1328 wrote to memory of 1764 1328 Hjd22D5.exe 94 PID 1328 wrote to memory of 1764 1328 Hjd22D5.exe 94 PID 1328 wrote to memory of 1764 1328 Hjd22D5.exe 94 PID 1328 wrote to memory of 1764 1328 Hjd22D5.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b7bb8f2d66b1694ffd5c510d0a243b.exe"C:\Users\Admin\AppData\Local\Temp\b4b7bb8f2d66b1694ffd5c510d0a243b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\servi3e.bin\A7350D82BCA.exe"C:\servi3e.bin\A7350D82BCA.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\Hjd22D5.exe"C:\Users\Admin\AppData\Local\Temp\Hjd22D5.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be
-
Filesize
158KB
MD5b4b7bb8f2d66b1694ffd5c510d0a243b
SHA173b6a556d403c45137cc1f9401092d450b488868
SHA256efb6103147d123a4c99b751d58a420d42fbbfb726bc1093a2b1bf188b1b81c23
SHA512c9a41f407a6f0055f6e12f3fd1d03b1cd502c7496238811f6cb53e4ec922d4880f8136239deb8b33551dd94fefc86648d419653012c039067ae9b79632996cd1
-
Filesize
5KB
MD5f56193ca932f0b765c493f1dcd579608
SHA1cce79dbd87546a419d3a8ca02e643934670f4841
SHA256a0810b82f712ab51ec25b51374b81d5803754e53ed83cc2d36079e5a0a8a3885
SHA51277e390ba8a9d74f02217594fddd5a85cf126c975d0a7dd82b59aad1c1e91a8dfc777c16c6a8e14409f3f826c6be9a3132bb1a9b3774d8ee2edbdcb228fac0b68