Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
b698b8bafffbe7276d9a3c25a4a73bd3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b698b8bafffbe7276d9a3c25a4a73bd3.exe
Resource
win10v2004-20240226-en
General
-
Target
b698b8bafffbe7276d9a3c25a4a73bd3.exe
-
Size
130KB
-
MD5
b698b8bafffbe7276d9a3c25a4a73bd3
-
SHA1
21e2afa4e38484eed7ec0c43d8a743cd8ca011d7
-
SHA256
5c631157cd222fdcb2f60390d7cc2cbe19e32e551d4a11b178fad8760a1cf734
-
SHA512
2b6c7572636fac7e1815778bb02e766cbc5f15a63b55f46570c87826d7c94d6397ed81b9d881ac4a5f7c5caf3253aa3fb42e4e14ceedea0edea07fe75a133c54
-
SSDEEP
3072:A5t15OFp3QKBR+wqVe93Z+0UUyuIDcR3zO0pCfqFzu:qt15OF11R+tw+0UUyuCKpQfk
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\WindowsUpdateService.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\zuperss.exe = "C:\\Users\\Admin\\AppData\\Roaming\\zuperss.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 4700 WindowsUpdateService.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\WindowsUpdateService.exe" b698b8bafffbe7276d9a3c25a4a73bd3.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3848 reg.exe 1076 reg.exe 1544 reg.exe 2616 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 4700 WindowsUpdateService.exe Token: SeCreateTokenPrivilege 4700 WindowsUpdateService.exe Token: SeAssignPrimaryTokenPrivilege 4700 WindowsUpdateService.exe Token: SeLockMemoryPrivilege 4700 WindowsUpdateService.exe Token: SeIncreaseQuotaPrivilege 4700 WindowsUpdateService.exe Token: SeMachineAccountPrivilege 4700 WindowsUpdateService.exe Token: SeTcbPrivilege 4700 WindowsUpdateService.exe Token: SeSecurityPrivilege 4700 WindowsUpdateService.exe Token: SeTakeOwnershipPrivilege 4700 WindowsUpdateService.exe Token: SeLoadDriverPrivilege 4700 WindowsUpdateService.exe Token: SeSystemProfilePrivilege 4700 WindowsUpdateService.exe Token: SeSystemtimePrivilege 4700 WindowsUpdateService.exe Token: SeProfSingleProcessPrivilege 4700 WindowsUpdateService.exe Token: SeIncBasePriorityPrivilege 4700 WindowsUpdateService.exe Token: SeCreatePagefilePrivilege 4700 WindowsUpdateService.exe Token: SeCreatePermanentPrivilege 4700 WindowsUpdateService.exe Token: SeBackupPrivilege 4700 WindowsUpdateService.exe Token: SeRestorePrivilege 4700 WindowsUpdateService.exe Token: SeShutdownPrivilege 4700 WindowsUpdateService.exe Token: SeDebugPrivilege 4700 WindowsUpdateService.exe Token: SeAuditPrivilege 4700 WindowsUpdateService.exe Token: SeSystemEnvironmentPrivilege 4700 WindowsUpdateService.exe Token: SeChangeNotifyPrivilege 4700 WindowsUpdateService.exe Token: SeRemoteShutdownPrivilege 4700 WindowsUpdateService.exe Token: SeUndockPrivilege 4700 WindowsUpdateService.exe Token: SeSyncAgentPrivilege 4700 WindowsUpdateService.exe Token: SeEnableDelegationPrivilege 4700 WindowsUpdateService.exe Token: SeManageVolumePrivilege 4700 WindowsUpdateService.exe Token: SeImpersonatePrivilege 4700 WindowsUpdateService.exe Token: SeCreateGlobalPrivilege 4700 WindowsUpdateService.exe Token: 31 4700 WindowsUpdateService.exe Token: 32 4700 WindowsUpdateService.exe Token: 33 4700 WindowsUpdateService.exe Token: 34 4700 WindowsUpdateService.exe Token: 35 4700 WindowsUpdateService.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4700 WindowsUpdateService.exe 4700 WindowsUpdateService.exe 4700 WindowsUpdateService.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1796 wrote to memory of 4700 1796 b698b8bafffbe7276d9a3c25a4a73bd3.exe 89 PID 1796 wrote to memory of 4700 1796 b698b8bafffbe7276d9a3c25a4a73bd3.exe 89 PID 1796 wrote to memory of 4700 1796 b698b8bafffbe7276d9a3c25a4a73bd3.exe 89 PID 4700 wrote to memory of 4392 4700 WindowsUpdateService.exe 91 PID 4700 wrote to memory of 4392 4700 WindowsUpdateService.exe 91 PID 4700 wrote to memory of 4392 4700 WindowsUpdateService.exe 91 PID 4700 wrote to memory of 2596 4700 WindowsUpdateService.exe 93 PID 4700 wrote to memory of 2596 4700 WindowsUpdateService.exe 93 PID 4700 wrote to memory of 2596 4700 WindowsUpdateService.exe 93 PID 4700 wrote to memory of 4972 4700 WindowsUpdateService.exe 94 PID 4700 wrote to memory of 4972 4700 WindowsUpdateService.exe 94 PID 4700 wrote to memory of 4972 4700 WindowsUpdateService.exe 94 PID 4700 wrote to memory of 5016 4700 WindowsUpdateService.exe 95 PID 4700 wrote to memory of 5016 4700 WindowsUpdateService.exe 95 PID 4700 wrote to memory of 5016 4700 WindowsUpdateService.exe 95 PID 2596 wrote to memory of 1076 2596 cmd.exe 100 PID 2596 wrote to memory of 1076 2596 cmd.exe 100 PID 2596 wrote to memory of 1076 2596 cmd.exe 100 PID 4392 wrote to memory of 1544 4392 cmd.exe 101 PID 4392 wrote to memory of 1544 4392 cmd.exe 101 PID 4392 wrote to memory of 1544 4392 cmd.exe 101 PID 5016 wrote to memory of 2616 5016 cmd.exe 102 PID 5016 wrote to memory of 2616 5016 cmd.exe 102 PID 5016 wrote to memory of 2616 5016 cmd.exe 102 PID 4972 wrote to memory of 3848 4972 cmd.exe 103 PID 4972 wrote to memory of 3848 4972 cmd.exe 103 PID 4972 wrote to memory of 3848 4972 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b698b8bafffbe7276d9a3c25a4a73bd3.exe"C:\Users\Admin\AppData\Local\Temp\b698b8bafffbe7276d9a3c25a4a73bd3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe"C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\WindowsUpdateService.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\zuperss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\zuperss.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\zuperss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\zuperss.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5b698b8bafffbe7276d9a3c25a4a73bd3
SHA121e2afa4e38484eed7ec0c43d8a743cd8ca011d7
SHA2565c631157cd222fdcb2f60390d7cc2cbe19e32e551d4a11b178fad8760a1cf734
SHA5122b6c7572636fac7e1815778bb02e766cbc5f15a63b55f46570c87826d7c94d6397ed81b9d881ac4a5f7c5caf3253aa3fb42e4e14ceedea0edea07fe75a133c54