Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    48s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 00:02

Errors

Reason
Machine shutdown

General

  • Target

    a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe

  • Size

    37KB

  • MD5

    38f80bc71d69f2afd987673fc8d044bd

  • SHA1

    b36d1172ef54128edcf5ec580fa0107077037730

  • SHA256

    a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74

  • SHA512

    e1fa6dd0dc39b8eb83109baf71fb5fe999f30458972ed5b82337f6d0d5f00b29413c307bb7b03463f0d21d2ee3d6e288427ce9a10554f1deec1ab2d74c81dcbf

  • SSDEEP

    768:LZ+Zxe90i19C92eocaWTmNtY6coZOuLPfBXMqR:LaiZ19C92eocaWTKtNJZOuTfBXMqR

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2568
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2616
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2836
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3444
            • C:\Users\Admin\AppData\Local\Temp\a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe
              "C:\Users\Admin\AppData\Local\Temp\a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe"
              2⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3680
              • C:\Users\Admin\AppData\Local\Temp\lcm.exe
                "C:\Users\Admin\AppData\Local\Temp\lcm.exe"
                3⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4608
                • C:\Users\Admin\AppData\Local\Temp\lsias.exe
                  "C:\Users\Admin\AppData\Local\Temp\lsias.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4208
                  • C:\Users\Admin\AppData\Local\Temp\Botye\yhih.exe
                    "C:\Users\Admin\AppData\Local\Temp\Botye\yhih.exe"
                    5⤵
                    • Drops file in Drivers directory
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1636
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2480
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1152
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:116
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:4592
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:3288
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:836
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:4772
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1796
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:4916
                    • C:\Windows\SYSTEM32\bcdedit.exe
                      bcdedit.exe -set TESTSIGNING ON
                      6⤵
                      • Modifies boot configuration data using bcdedit
                      PID:4112
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ONU859E.bat"
                    5⤵
                      PID:4584
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 800
                      5⤵
                      • Program crash
                      PID:1600
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
              1⤵
                PID:3672
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:3856
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:3996
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:4076
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:2784
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:2764
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:2204
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                            1⤵
                              PID:1216
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                              1⤵
                                PID:3384
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffd0ada5fd8,0x7ffd0ada5fe4,0x7ffd0ada5ff0
                                  2⤵
                                    PID:4448
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3532 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:2
                                    2⤵
                                      PID:3636
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3632 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:3
                                      2⤵
                                        PID:1584
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:8
                                        2⤵
                                          PID:4268
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5380 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:1
                                          2⤵
                                            PID:2904
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5524 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:1
                                            2⤵
                                              PID:3688
                                          • C:\Windows\system32\backgroundTaskHost.exe
                                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
                                            1⤵
                                              PID:4196
                                            • C:\Windows\system32\backgroundTaskHost.exe
                                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                              1⤵
                                                PID:3800
                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                1⤵
                                                  PID:4124
                                                • C:\Windows\System32\RuntimeBroker.exe
                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                  1⤵
                                                    PID:2728
                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                    1⤵
                                                      PID:8
                                                    • C:\Windows\System32\wuapihost.exe
                                                      C:\Windows\System32\wuapihost.exe -Embedding
                                                      1⤵
                                                        PID:3424
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4208 -ip 4208
                                                        1⤵
                                                          PID:2340
                                                        • C:\Windows\system32\LogonUI.exe
                                                          "LogonUI.exe" /flags:0x4 /state0:0xa396f855 /state1:0x41c64e6d
                                                          1⤵
                                                          • Modifies data under HKEY_USERS
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2416

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\Botye\yhih.exe

                                                          Filesize

                                                          593KB

                                                          MD5

                                                          074e3a2c3f9c328270cee84ae129520a

                                                          SHA1

                                                          08bfab4e28d7398f2bf065a5b8fc262fd68809ff

                                                          SHA256

                                                          28c1d94a1d8d5bc5818c126e75f777bd71f30a0d2ddaa7289c64e47785383b4a

                                                          SHA512

                                                          5bf71bf21d86d2459f117a585563c69dbaf97b46c4276bae9fc85f3197937127735d6ce63ebead510c0029c4868971fbf53218424e8031d32c3b84aef8e19271

                                                        • C:\Users\Admin\AppData\Local\Temp\ONU859E.bat

                                                          Filesize

                                                          185B

                                                          MD5

                                                          69a8260339b63f8ea6f7854a22f12b06

                                                          SHA1

                                                          53ee65f3b863fb5c2fe28cf0f108ecc5413ef0a7

                                                          SHA256

                                                          9d3f8a4a9a39d4c3c4f8c2200aee1d5ef13320dd8f9c8ad5e14df70cc6c2f7e4

                                                          SHA512

                                                          889ffedb195e2f0adcad1f2e0add8cb8e7388528b60c69969729afe7f6611037d7189455e80d325f05e2389c06f8fac3239e9739ff8445aecd7f33a0f1c0ee17

                                                        • C:\Users\Admin\AppData\Local\Temp\lcm.exe

                                                          Filesize

                                                          37KB

                                                          MD5

                                                          7dbba94859c6d13b02aa6010301d942e

                                                          SHA1

                                                          95719bc59b38ea41e2944899de0171a7a064c52e

                                                          SHA256

                                                          8a4c97df18716d25c508608a6baaf8e940dded4f68cb4924943bc94375f4e327

                                                          SHA512

                                                          08151b054efb79826d470abc44f65923e1b42a93490f9428f5f767439d5fe0dca604a4786524a511ca8ea89c8a8286847cc77eed579a345c8e29accab7758a12

                                                        • C:\Users\Admin\AppData\Local\Temp\lsias.exe

                                                          Filesize

                                                          593KB

                                                          MD5

                                                          b765fa6dafe847a21badd35b2db70ce0

                                                          SHA1

                                                          8de082342547052dbe43bf9d9df0ec5fc4586eb9

                                                          SHA256

                                                          b943dea63930db983b6d4524dbecf76bc94ece24bc68ee69a658c3e05164ffb9

                                                          SHA512

                                                          4ccdc9bad6e957f5df3f7ccb3cd11085b44fa234334dacbf042ec942ed67b244178681426f85d38d7ca4c5583d5b546a5c43ba6d6c098d5f63522ed06c99c674

                                                        • memory/1636-68-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/1636-69-0x0000000000400000-0x0000000000499000-memory.dmp

                                                          Filesize

                                                          612KB

                                                        • memory/1636-70-0x0000000000480000-0x0000000000486000-memory.dmp

                                                          Filesize

                                                          24KB

                                                        • memory/1636-71-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/1636-31-0x0000000000400000-0x0000000000499000-memory.dmp

                                                          Filesize

                                                          612KB

                                                        • memory/1636-37-0x0000000000480000-0x0000000000486000-memory.dmp

                                                          Filesize

                                                          24KB

                                                        • memory/1636-52-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/1636-50-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/3680-0-0x0000000000400000-0x0000000000407000-memory.dmp

                                                          Filesize

                                                          28KB

                                                        • memory/4208-45-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4208-47-0x00000000021B0000-0x000000000221D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4208-42-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4208-44-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4208-43-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4208-40-0x00000000021B0000-0x000000000221D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4208-46-0x00000000021B0000-0x000000000221D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4208-25-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4208-39-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4208-38-0x00000000021B0000-0x000000000221D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4208-19-0x0000000000400000-0x0000000000499000-memory.dmp

                                                          Filesize

                                                          612KB

                                                        • memory/4208-20-0x00000000020D0000-0x00000000020D1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4208-21-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4208-41-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4208-67-0x0000000000400000-0x000000000046D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4584-60-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-63-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-64-0x0000000000D00000-0x0000000000D6D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4584-65-0x0000000000D00000-0x0000000000D6D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4584-61-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-59-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-58-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-57-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/4584-51-0x0000000000D00000-0x0000000000D6D000-memory.dmp

                                                          Filesize

                                                          436KB

                                                        • memory/4608-9-0x0000000000400000-0x0000000000407000-memory.dmp

                                                          Filesize

                                                          28KB