Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 08:42
Static task
static1
Behavioral task
behavioral1
Sample
c83006e7ae807153f6fc0f13f4550a3a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c83006e7ae807153f6fc0f13f4550a3a.exe
Resource
win10v2004-20240226-en
General
-
Target
c83006e7ae807153f6fc0f13f4550a3a.exe
-
Size
761KB
-
MD5
c83006e7ae807153f6fc0f13f4550a3a
-
SHA1
66e36a66084c4727b58503fe92a1512bc04c33c8
-
SHA256
f16d44151db20fb23e0f282931fa937f485e7f0725716238c631a583169c7ff8
-
SHA512
9fa5df46a1f4b71948d8e25a35fdfc41f6850e93c5b7ac03024bdd426cb138cfc325bca1048644c4ea50a7b184b2fb839aa2f49cabaaee2618e2e4b012818aea
-
SSDEEP
12288:18IdtzeU0qKiWKQ0zu8zdpDOPReZs8W8R66WZF3Z4mxxbARuxuYT6Vxxa1/:18Idtz77KiWB0KU5OpeK8K6WZQmXbpFT
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1496 WINDOW~1.EXE 2884 winxp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c83006e7ae807153f6fc0f13f4550a3a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winxp WINDOW~1.EXE File opened for modification C:\Windows\winxp WINDOW~1.EXE File created C:\Windows\Delete.bat WINDOW~1.EXE -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ winxp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" winxp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" winxp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" winxp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" winxp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2884 winxp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 636 wrote to memory of 1496 636 c83006e7ae807153f6fc0f13f4550a3a.exe 91 PID 636 wrote to memory of 1496 636 c83006e7ae807153f6fc0f13f4550a3a.exe 91 PID 636 wrote to memory of 1496 636 c83006e7ae807153f6fc0f13f4550a3a.exe 91 PID 1496 wrote to memory of 4612 1496 WINDOW~1.EXE 94 PID 1496 wrote to memory of 4612 1496 WINDOW~1.EXE 94 PID 1496 wrote to memory of 4612 1496 WINDOW~1.EXE 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c83006e7ae807153f6fc0f13f4550a3a.exe"C:\Users\Admin\AppData\Local\Temp\c83006e7ae807153f6fc0f13f4550a3a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat3⤵PID:4612
-
-
-
C:\Windows\winxpC:\Windows\winxp1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
398KB
MD5f557305e284e3f0008b5556ed0aea4f4
SHA1304af015334bc75d17fd5b81d8788cff929ead6c
SHA2566629b16df99db497d6dc5f08e382e53fecebd6a022ae7e4ba2b0745d7f211f18
SHA512bcb87fe4fdc5f8dc27a5999087b6139ac09a5e355b573372832521d2b8960d20c372d77c67774452625eb473f3650275bea2523795b8dec2d1a027c200d549cb
-
Filesize
160B
MD5a36877fec4fde35c6b0927285e6d751b
SHA11122da3f21167b4bcaf3866408e06e35d85cca07
SHA256a925132d0062d8b3bd95071e438a82ce0dcb70950cfa56f17a873f99cf6c4618
SHA5122d734ef1843597ecfc2992d1ad822c2374476ee310eee68e73f27f80abe393014a57acc112ad9479f471e4f5919b176b541261d4a46b61931b1308ba51b69758