Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/03/2024, 22:46
240306-2pzx2abc39 723/12/2022, 20:25
221223-y7mhwahb34 1023/12/2022, 20:11
221223-yx8ncscc9x 1023/12/2022, 20:03
221223-ys7v9sha97 10Analysis
-
max time kernel
1799s -
max time network
1175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06/03/2024, 22:46
General
-
Target
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
-
Size
2.1MB
-
MD5
55a350a007f6943a7e09f4abfdfa6979
-
SHA1
c94e84ddbb6f525cfa675791c7f2d9b36d28a3ef
-
SHA256
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80
-
SHA512
707269690787a70980cfc2658592cef762503ce7228fdfa56f5d584552327d28e338cc877fb37b1414f451a9c05a05fe3e134bc0197563a266fd62ab539bdc16
-
SSDEEP
49152:yMkkwgEEIRmnl1DVHYYhdxiUFZ4l7jl1nUI3gg+cnIFPsxdgyg:yDkfRX4UTDennUI3gvcIlRz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\edge\HMHM.exeC:\ProgramData\edge\HMHM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.6MB
MD5b3c146ad4fef9949e9af94a164619f95
SHA14968a680be61145a8eb5fb73dec7b90868d3bc91
SHA256f4a4111960b2fd1552ea8ce728d84f3a97ed963cda230ba1532060a73580e96c
SHA512f24d25c85417ed5a5ef228ecb11e9cb37d7a00eb047539c733e1c31c54b0b58a164266a5d24f4861d5a8f23f4ee0b733c8f143b07e34d042346352ae1b000247
-
Filesize
27.8MB
MD51448ad2f3eed317f0967d83439933752
SHA1298ad6c37b6828b1aa02394d4c7eb1b8a767a3c1
SHA25614066196a7be964a9a45c3c0eb8b42f1514afa33a31a52d839c6660f9bfd3e99
SHA512e328bc1df2f677f7516d70c70035d3967b9fd252c707e8c0a10d74b31a0b8dbf974d304c39657037f4d934fad47b39ec62b3afccab97311069fe511171699fe3
-
Filesize
60.6MB
MD5db6f80986fccd5d48e1a50ea3477669a
SHA1ec37f4da622eb34df34f822eee6273df0f803cc5
SHA25634b32704e7c8368a0ed156006d0b32a40e3322f354821849bb4a1b55b8734b32
SHA512a8f6c06564e7351351f51773bfa029883a6dcdf39a6b8458725759f2e63c55696ea22ad866ceb92e80005ffeca70a007b5bd640cca5072b6fe225a7eeaff307e
-
Filesize
127.5MB
MD5c81554965058d42519653f5018fdb5d8
SHA1aaac2382b6cbdb1fa017bd9b351633f737c828f5
SHA2562a0bd8e64ed6a037c63494a8aefd21fb000f4de44e845d62c92e85b7b12f2ae5
SHA5127ba8ed8de61307816a2768cb80df55f7cb2ee1b0f192d4fd7a6654490d19b754bd9a20245cefeaaa2661d438861664cf7649cb607a154ea5e290a7fe806d01b1
-
Filesize
166.4MB
MD5facc9718b9fc62c611eea686b649c397
SHA15bf07585865a28a1c4ddddf17e102031cb45d9a1
SHA256e57c2ac40705f3ee946d2ce4dadb61ef209e0deaa4d9399e1aed94b13a85d421
SHA5121605cc788103eee41b97f315690818d64d8c5b15fcc9af09e3acd78b8545e63400922bc3eafecf02f2b4512150046dcadddc22541f41fa2463be068afa5062c2
-
Filesize
9.0MB
MD5b7f8ac2e8933b246bf035bde872e6d27
SHA15b62937ac87e772e31873a7fec192db0154d0e7c
SHA2561474788b60c14a55b5180d03a9ea1de21570c73dcdd6a0f42627eb6d50aa2864
SHA5122f46f0ad0a18188a17341f4c648dbbe099f6a701798bd5d8b75cbbf45b57e871a360ef48e93f1a248143f02546112367ba02471644a10e774aa873cc88b7b933
-
Filesize
10.5MB
MD5590a7f082699dfd4f08ec99e845244a7
SHA140944e48f2becca286b1886ac423508fc31e1f75
SHA2566c03c889f784891340350dec8b9848506e36fc2aeeffb08be2409d75bb70b9e0
SHA5128e6a10d4b9ee7a00288354a47158153635cf916059e108758052bc42de394fc7c44d17986c2fb3e76339e7d31ba2f519da66869622ca2de6e2246cd3dd65b039
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5ada3bbf645850fada48785399a44c2e9
SHA10421c13b7bb2120e078e18a9d4f5118743c1c8bd
SHA256cff75b20b3479f35242de2571318472607db1aa0a52db62c1c01a89bccb8491d
SHA5126e0b2753850b1da38dddba4059a6ab2261a244e25bd078afc1bfb78743505dcc405caef08753134faa30bf9f4c8cd5d862405407aeb5c73ae7e86072da366c82
-
Filesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
Filesize
944B
MD527319e85fe9e14d9bde83936606047f1
SHA12fc84c486d5bd73ecd09f10d8d7b10fc214a80d7
SHA2566c707dcdb6f87e3210fb64c9dc6a5fb1379cde6ba543260cefcc585ef20acf09
SHA512fbe7a574055098401032aa29d6d3650e75c91b2478eed03d1906c0b2848b733faa115d28c80a151d49f9ead9fef2784a16c828a29fcdf40db60863cabc0b7639
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD5a2c8179aaa149c0b9791b73ce44c04d1
SHA1703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA5122e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
632KB
-
Filesize
756KB
-
Filesize
64KB
-
Filesize
2.5MB
-
Filesize
212KB
-
Filesize
1.0MB
-
Filesize
428KB
-
Filesize
236KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
2.8MB
-
Filesize
628KB
-
Filesize
1.6MB
-
Filesize
1024KB
-
Filesize
172KB
-
Filesize
688KB
-
Filesize
1.3MB
-
Filesize
620KB
-
Filesize
404KB
-
Filesize
1.2MB
-
Filesize
680KB
-
Filesize
40KB
-
Filesize
340KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
1.2MB
-
Filesize
1.3MB
-
Filesize
3.3MB
-
Filesize
820KB
-
Filesize
1.7MB
-
Filesize
428KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
236KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
172KB
-
Filesize
10.8MB
-
Filesize
1.6MB
-
Filesize
2.5MB
-
Filesize
756KB
-
Filesize
72KB
-
Filesize
632KB
-
Filesize
680KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
64KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
64KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
260KB