Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 19:35
Static task
static1
Behavioral task
behavioral1
Sample
TS-240404-TB2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TS-240404-TB2.exe
Resource
win10v2004-20240226-en
General
-
Target
TS-240404-TB2.exe
-
Size
221KB
-
MD5
16b61a24a6cd3090d1f6210ac9006c7c
-
SHA1
9618960feb88143e056fac81d92719d06b86d8e2
-
SHA256
1bda06eb2ed58ae63e076fd7856133eeb09717e7679c72957de1de7159a575a9
-
SHA512
e43fb244badf332dab1225551a58155bdd85a262bb0041ac282395bf025f48955f6a34aaf3fbcf83b478be82ea5e85a2ce8be41e2f5996a493f2af7bce4c4760
-
SSDEEP
3072:yt5mFQsnQnvgkDwxWzBUEPMZZbude/4v+1IgoWakkgeAHCr1bPpaHI1FeDNAq:q5fsQvgTmBUodLVgoWavsKbP/Y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2288 StartMenuExperienceHost.exe -
Loads dropped DLL 2 IoCs
pid Process 2944 TS-240404-TB2.exe 2944 TS-240404-TB2.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: StartMenuExperienceHost.exe File opened (read-only) \??\I: StartMenuExperienceHost.exe File opened (read-only) \??\S: StartMenuExperienceHost.exe File opened (read-only) \??\V: StartMenuExperienceHost.exe File opened (read-only) \??\Q: StartMenuExperienceHost.exe File opened (read-only) \??\T: StartMenuExperienceHost.exe File opened (read-only) \??\U: StartMenuExperienceHost.exe File opened (read-only) \??\X: StartMenuExperienceHost.exe File opened (read-only) \??\Y: StartMenuExperienceHost.exe File opened (read-only) \??\B: StartMenuExperienceHost.exe File opened (read-only) \??\E: StartMenuExperienceHost.exe File opened (read-only) \??\H: StartMenuExperienceHost.exe File opened (read-only) \??\G: StartMenuExperienceHost.exe File opened (read-only) \??\O: StartMenuExperienceHost.exe File opened (read-only) \??\R: StartMenuExperienceHost.exe File opened (read-only) \??\M: StartMenuExperienceHost.exe File opened (read-only) \??\N: StartMenuExperienceHost.exe File opened (read-only) \??\P: StartMenuExperienceHost.exe File opened (read-only) \??\Z: StartMenuExperienceHost.exe File opened (read-only) \??\J: StartMenuExperienceHost.exe File opened (read-only) \??\K: StartMenuExperienceHost.exe File opened (read-only) \??\L: StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 2944 TS-240404-TB2.exe 2944 TS-240404-TB2.exe 2944 TS-240404-TB2.exe 2944 TS-240404-TB2.exe 2944 TS-240404-TB2.exe 2944 TS-240404-TB2.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe 2288 StartMenuExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2944 TS-240404-TB2.exe Token: SeCreateTokenPrivilege 2944 TS-240404-TB2.exe Token: SeAssignPrimaryTokenPrivilege 2944 TS-240404-TB2.exe Token: SeLockMemoryPrivilege 2944 TS-240404-TB2.exe Token: SeIncreaseQuotaPrivilege 2944 TS-240404-TB2.exe Token: SeMachineAccountPrivilege 2944 TS-240404-TB2.exe Token: SeTcbPrivilege 2944 TS-240404-TB2.exe Token: SeSecurityPrivilege 2944 TS-240404-TB2.exe Token: SeTakeOwnershipPrivilege 2944 TS-240404-TB2.exe Token: SeLoadDriverPrivilege 2944 TS-240404-TB2.exe Token: SeSystemProfilePrivilege 2944 TS-240404-TB2.exe Token: SeSystemtimePrivilege 2944 TS-240404-TB2.exe Token: SeProfSingleProcessPrivilege 2944 TS-240404-TB2.exe Token: SeIncBasePriorityPrivilege 2944 TS-240404-TB2.exe Token: SeCreatePagefilePrivilege 2944 TS-240404-TB2.exe Token: SeCreatePermanentPrivilege 2944 TS-240404-TB2.exe Token: SeBackupPrivilege 2944 TS-240404-TB2.exe Token: SeRestorePrivilege 2944 TS-240404-TB2.exe Token: SeShutdownPrivilege 2944 TS-240404-TB2.exe Token: SeDebugPrivilege 2944 TS-240404-TB2.exe Token: SeAuditPrivilege 2944 TS-240404-TB2.exe Token: SeSystemEnvironmentPrivilege 2944 TS-240404-TB2.exe Token: SeChangeNotifyPrivilege 2944 TS-240404-TB2.exe Token: SeRemoteShutdownPrivilege 2944 TS-240404-TB2.exe Token: SeUndockPrivilege 2944 TS-240404-TB2.exe Token: SeSyncAgentPrivilege 2944 TS-240404-TB2.exe Token: SeEnableDelegationPrivilege 2944 TS-240404-TB2.exe Token: SeManageVolumePrivilege 2944 TS-240404-TB2.exe Token: SeImpersonatePrivilege 2944 TS-240404-TB2.exe Token: SeCreateGlobalPrivilege 2944 TS-240404-TB2.exe Token: 31 2944 TS-240404-TB2.exe Token: 32 2944 TS-240404-TB2.exe Token: 33 2944 TS-240404-TB2.exe Token: 34 2944 TS-240404-TB2.exe Token: 35 2944 TS-240404-TB2.exe Token: SeDebugPrivilege 2288 StartMenuExperienceHost.exe Token: SeCreateTokenPrivilege 2288 StartMenuExperienceHost.exe Token: SeAssignPrimaryTokenPrivilege 2288 StartMenuExperienceHost.exe Token: SeLockMemoryPrivilege 2288 StartMenuExperienceHost.exe Token: SeIncreaseQuotaPrivilege 2288 StartMenuExperienceHost.exe Token: SeMachineAccountPrivilege 2288 StartMenuExperienceHost.exe Token: SeTcbPrivilege 2288 StartMenuExperienceHost.exe Token: SeSecurityPrivilege 2288 StartMenuExperienceHost.exe Token: SeTakeOwnershipPrivilege 2288 StartMenuExperienceHost.exe Token: SeLoadDriverPrivilege 2288 StartMenuExperienceHost.exe Token: SeSystemProfilePrivilege 2288 StartMenuExperienceHost.exe Token: SeSystemtimePrivilege 2288 StartMenuExperienceHost.exe Token: SeProfSingleProcessPrivilege 2288 StartMenuExperienceHost.exe Token: SeIncBasePriorityPrivilege 2288 StartMenuExperienceHost.exe Token: SeCreatePagefilePrivilege 2288 StartMenuExperienceHost.exe Token: SeCreatePermanentPrivilege 2288 StartMenuExperienceHost.exe Token: SeBackupPrivilege 2288 StartMenuExperienceHost.exe Token: SeRestorePrivilege 2288 StartMenuExperienceHost.exe Token: SeShutdownPrivilege 2288 StartMenuExperienceHost.exe Token: SeDebugPrivilege 2288 StartMenuExperienceHost.exe Token: SeAuditPrivilege 2288 StartMenuExperienceHost.exe Token: SeSystemEnvironmentPrivilege 2288 StartMenuExperienceHost.exe Token: SeChangeNotifyPrivilege 2288 StartMenuExperienceHost.exe Token: SeRemoteShutdownPrivilege 2288 StartMenuExperienceHost.exe Token: SeUndockPrivilege 2288 StartMenuExperienceHost.exe Token: SeSyncAgentPrivilege 2288 StartMenuExperienceHost.exe Token: SeEnableDelegationPrivilege 2288 StartMenuExperienceHost.exe Token: SeManageVolumePrivilege 2288 StartMenuExperienceHost.exe Token: SeImpersonatePrivilege 2288 StartMenuExperienceHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2944 TS-240404-TB2.exe 2288 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2288 2944 TS-240404-TB2.exe 28 PID 2944 wrote to memory of 2288 2944 TS-240404-TB2.exe 28 PID 2944 wrote to memory of 2288 2944 TS-240404-TB2.exe 28 PID 2944 wrote to memory of 2288 2944 TS-240404-TB2.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\TS-240404-TB2.exe"C:\Users\Admin\AppData\Local\Temp\TS-240404-TB2.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\ProgramData\StartMenuExperienceHost.exe"C:\ProgramData\StartMenuExperienceHost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD516b61a24a6cd3090d1f6210ac9006c7c
SHA19618960feb88143e056fac81d92719d06b86d8e2
SHA2561bda06eb2ed58ae63e076fd7856133eeb09717e7679c72957de1de7159a575a9
SHA512e43fb244badf332dab1225551a58155bdd85a262bb0041ac282395bf025f48955f6a34aaf3fbcf83b478be82ea5e85a2ce8be41e2f5996a493f2af7bce4c4760