Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 00:04
Static task
static1
Behavioral task
behavioral1
Sample
a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe
Resource
win10v2004-20231215-en
General
-
Target
a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe
-
Size
217KB
-
MD5
83f557aa5169668c7fbf72243da80d24
-
SHA1
bc7935296343fee42ce2cdbddeaa900832c39e57
-
SHA256
a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5
-
SHA512
be1062701dd8e6389c89832f418d23ea37fa8dc1bcf8ae5a360abf0ea4b6f1dc1aca0f32dbfd76a6847654bfa403c461f9755ecd3c9f0ab69c8f44c8fa6ad95b
-
SSDEEP
6144:KrRaTyDOnlo7eM+mlkWgRXOqobzWjozm2ulYM6Y:QsTbzu1glovW4EH6Y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1588 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\45e5164a = "O\x19#Q7€\x1a;û¸Ò?nœ\u008fŸ0m\x14ZȘ\tbMç³)ÓlødDþ$äÛzÿ\x14ü㆔\"dÔ”þ¼n4´æ\u008d\f×BtÇ>v§\x06žƒü\n\x13»>ä\x06›[7—4®¾Å\u009dlz”â\x1c4GŒ\x7fô\a’_\x14þn,ß—&N\fì>´O4TTs\\¤kä\x16äÏwþ\x7f”ÌÛª‡[Ì\x7fªæ¢>››\x16öôD¢Dv¼wŒ$\x1e-Ô\x14[~o4¯’§¾NŽ#Ü…rW®ÌkÖ\x1c4\\4\nÞ¬R¶ìl;gµ]2ZöÇ®ƒŒ\x066´v\x15\x1fî^_߆›<–M\x16ì\x0f†’zC7…wŒN‡j´‹¿?ŠÏ\x17ËK\u008dzÌÞ=ÿÛ$\n¼ïþîƒV\x12L\x1bÜþ^õýæm\u00ad\x1c^æU" a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\45e5164a = "O\x19#Q7€\x1a;û¸Ò?nœ\u008fŸ0m\x14ZȘ\tbMç³)ÓlødDþ$äÛzÿ\x14ü㆔\"dÔ”þ¼n4´æ\u008d\f×BtÇ>v§\x06žƒü\n\x13»>ä\x06›[7—4®¾Å\u009dlz”â\x1c4GŒ\x7fô\a’_\x14þn,ß—&N\fì>´O4TTs\\¤kä\x16äÏwþ\x7f”ÌÛª‡[Ì\x7fªæ¢>››\x16öôD¢Dv¼wŒ$\x1e-Ô\x14[~o4¯’§¾NŽ#Ü…rW®ÌkÖ\x1c4\\4\nÞ¬R¶ìl;gµ]2ZöÇ®ƒŒ\x066´v\x15\x1fî^_߆›<–M\x16ì\x0f†’zC7…wŒN‡j´‹¿?ŠÏ\x17ËK\u008dzÌÞ=ÿÛ$\n¼ïþîƒV\x12L\x1bÜþ^õýæm\u00ad\x1c^æU" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe File opened for modification C:\Windows\apppatch\svchost.exe a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe 1588 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3508 wrote to memory of 1588 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 85 PID 3508 wrote to memory of 1588 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 85 PID 3508 wrote to memory of 1588 3508 a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe"C:\Users\Admin\AppData\Local\Temp\a67b142a24413f171257225a4de7742dd738e2dd4810f2405f6621a836ee3cd5.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
22KB
MD52b11dbd97ddcccf18ca3bf003f64627f
SHA19799b905f0b0cb579d39cbdcd8c3255b62e959f5
SHA256e45a55b6038dbc4f680348ebb135a663621cf41f91b14ecbf806e21f0a372575
SHA51284e43aaf75bde730554c9a9020aa7be29f364d65c85e26869b375cbd9d4a567de29017f970ed310ed872c257f11be79445b7178d0bbb6cd196e70d6a902c6c5c
-
Filesize
481B
MD58fd618a9682afadc7b5f16d04b897d20
SHA15dd4128b8ec769cb3a339f4aa8746ec7fdf5df54
SHA25676af337688ef9bd7e4575dc4f1a61d87540c256db588335d7f70d25ad689aa14
SHA5129883a613570dee32921c45e83cdb0d4db25d9c37c46dfdde35cbe254aac67253c915bcf9b8ebc905ef3edfafe8efaa1d5bf0bd6902b6a2c54190bb8292b5661b
-
Filesize
593B
MD5926512864979bc27cf187f1de3f57aff
SHA1acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b
-
Filesize
42KB
MD52e5bfe6c34d205dff0fab0305902fdf9
SHA15dae289e59ac882005515fb1c8e8582970418a32
SHA25644ff27df05739568d579cc5de219da363b9b80c52fd22e35977f316493bee262
SHA512fe4212f109ac0d388f427516f9adff6c5cde420257c05463a23558c000fa7e78f0fd29a55eb041ac62c8546d9bd27a59fdb9238a753abd56669c14ca064906f9
-
Filesize
481B
MD542331834f458d7c20ffd3d48e4f46564
SHA198be5937890866e43063cc7de2e77f43b760b596
SHA256faa00c3a3f877a0bb42ea11ab13dee46ca5703d7043cb026e512f4cd60529d43
SHA51290dd5cfeb5f68d63b528dcf531d782a5b4b63c1e11da80e2ecd21261fcbeed45e37d6747579ea7a8aa3f15bcb67d91b21b69ed9bba5086f850f89905eef67e7b
-
Filesize
217KB
MD5b01f18edd5f5bd9e0e3d1a2a3f39b1fe
SHA154a9cfba34387cdf471793a88dbda329252e2bb1
SHA256482639d35f9539ecc08ce66cc9abc4f159e0647e243ef4731ce52bf58a6491ad
SHA5125d785028a2c08d7d340c7c7cabdb1d69a2c5e640dd7f2187870ec09e5770af08290d4fb530ddff00a25904518811c468a4e81b0b0315b5e6dd20086ccf780e07