Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
bc41ca8b28cefbef19913892893b6fdc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bc41ca8b28cefbef19913892893b6fdc.exe
Resource
win10v2004-20240226-en
General
-
Target
bc41ca8b28cefbef19913892893b6fdc.exe
-
Size
24KB
-
MD5
bc41ca8b28cefbef19913892893b6fdc
-
SHA1
7873b97f271893da5977b7033e1d1ffca194e682
-
SHA256
dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e
-
SHA512
72a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627
-
SSDEEP
384:Hw8s6S7GEsv9pWDeAFBis/QhGvsFTM9/7/qI0RSojYE0W:Hw8QGEM8DeA7i+QhGvsFgiI0RS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3532 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\systxm32\ bc41ca8b28cefbef19913892893b6fdc.exe File created C:\Windows\systxm32\svchost.exe bc41ca8b28cefbef19913892893b6fdc.exe File opened for modification C:\Windows\systxm32\svchost.exe bc41ca8b28cefbef19913892893b6fdc.exe File created C:\Windows\systxm32\Service.exe bc41ca8b28cefbef19913892893b6fdc.exe File opened for modification C:\Windows\systxm32\ svchost.exe File created C:\Windows\install.inf bc41ca8b28cefbef19913892893b6fdc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2644 3532 WerFault.exe 89 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3532 svchost.exe 3532 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 1572 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4240 wrote to memory of 3532 4240 bc41ca8b28cefbef19913892893b6fdc.exe 89 PID 4240 wrote to memory of 3532 4240 bc41ca8b28cefbef19913892893b6fdc.exe 89 PID 4240 wrote to memory of 3532 4240 bc41ca8b28cefbef19913892893b6fdc.exe 89 PID 4240 wrote to memory of 3000 4240 bc41ca8b28cefbef19913892893b6fdc.exe 96 PID 4240 wrote to memory of 3000 4240 bc41ca8b28cefbef19913892893b6fdc.exe 96 PID 4240 wrote to memory of 3000 4240 bc41ca8b28cefbef19913892893b6fdc.exe 96 PID 3000 wrote to memory of 3148 3000 rundll32.exe 97 PID 3000 wrote to memory of 3148 3000 rundll32.exe 97 PID 3000 wrote to memory of 3148 3000 rundll32.exe 97 PID 4240 wrote to memory of 4052 4240 bc41ca8b28cefbef19913892893b6fdc.exe 98 PID 4240 wrote to memory of 4052 4240 bc41ca8b28cefbef19913892893b6fdc.exe 98 PID 4240 wrote to memory of 4052 4240 bc41ca8b28cefbef19913892893b6fdc.exe 98 PID 3148 wrote to memory of 3728 3148 runonce.exe 100 PID 3148 wrote to memory of 3728 3148 runonce.exe 100 PID 3148 wrote to memory of 3728 3148 runonce.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe"C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\systxm32\svchost.exeC:\Windows\systxm32\svchost.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 3083⤵
- Program crash
PID:2644
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\install.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:3728
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "" .bat""2⤵PID:4052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3532 -ip 35321⤵PID:2552
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5397d0c0d2ee36edc74904235108f9660
SHA1edf4e335ed9a649f83a76012bd232f285fd843c2
SHA2569303dc9d19cea525ef0aa2b431b2fd642da1d9d64555ebbd7d52c49f7e1c5a02
SHA5125a560ede526be84a15618fab61147b162535195b2caceee78bd9c8100d5ff8f96cf0cbe0ac21db2d42663376ed4849ea3d0a4927065bea8ff97079b87821ccae
-
Filesize
2KB
MD59716ebac351c551a7e64d6f819ffd8b5
SHA19cdf8d7f0e5bd93138df1e2c920e73c2472d3ae6
SHA2560a36fcbaae3f4af6b4e087b0e1ec5cdf129b7e6c8c6703a5b6c1dc56082cbfec
SHA512c3db55880764af3fc9dd8de37af456919ab9f123753c68e4b48cbe410cbbd2d12f05ca241ca41f7b053602c2d01f40e77c5242d90413a3ec134967e023b02faa
-
Filesize
24KB
MD5bc41ca8b28cefbef19913892893b6fdc
SHA17873b97f271893da5977b7033e1d1ffca194e682
SHA256dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e
SHA51272a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627