Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe
Resource
win10v2004-20240226-en
General
-
Target
24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe
-
Size
486KB
-
MD5
b4f36542893c279919704e4cecab18a4
-
SHA1
9a64584fa10222235468511afa5c412ea02dd50b
-
SHA256
24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc
-
SHA512
ec503111900e82c7d05de7483f0701163cc51c13a2a46eea9ab2dccc2be7cf624a19f53b35cdd2eb7b176ccc8c4890d8c0a613b645b65f6ef0eec52aa4c476f4
-
SSDEEP
12288:hQlc87eqqV5e+wBV6O+eGDRkR9qr7nIRjZim5:hQSqqHeVBxQ89qrreVim5
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2700 ipcoName.exe 4116 setxtar.exe 3944 ~9ED0.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcbucaui = "C:\\Users\\Admin\\AppData\\Roaming\\insticpl\\ipcoName.exe" 24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\setxtar.exe 24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2700 ipcoName.exe 2700 ipcoName.exe 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE 3496 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2700 ipcoName.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3496 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2700 1968 24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe 97 PID 1968 wrote to memory of 2700 1968 24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe 97 PID 1968 wrote to memory of 2700 1968 24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe 97 PID 2700 wrote to memory of 3944 2700 ipcoName.exe 99 PID 2700 wrote to memory of 3944 2700 ipcoName.exe 99 PID 3944 wrote to memory of 3496 3944 ~9ED0.tmp 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe"C:\Users\Admin\AppData\Local\Temp\24761ed58e91089601df6c6d9e3c5a8b3cd0b2fc7cbb5ff612ab8a3499c218fc.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Roaming\insticpl\ipcoName.exe"C:\Users\Admin\AppData\Roaming\insticpl"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\~9ED0.tmp3496 497672 2700 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944
-
-
-
-
C:\Windows\SysWOW64\setxtar.exeC:\Windows\SysWOW64\setxtar.exe -s1⤵
- Executes dropped EXE
PID:4116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:81⤵PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
486KB
MD5bbfb2a67857add2e13cab5ec4e11c357
SHA1d52b28095d79331c7e54cd5c049ac56a04ff040c
SHA256209c4d1e0e13bb006de8ef9863990a57715cebd6bfff2f45466e81eb9d416bd1
SHA5125dc822fb93819b9f2a014ffdd14d3a3edd8e80e471460ec5850371ab1f255d298e896ef05df85bbfd5320335d38f15ccbc7729cf812fd122ecbea5c1267ad94c