Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149.lnk
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149.lnk
Resource
win10v2004-20240319-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149.lnk
-
Size
1KB
-
MD5
9e51506816ad620c9e6474c52a9004a6
-
SHA1
1c3484db28964f43ee9587bc0260d86ac7e7cc0c
-
SHA256
a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149
-
SHA512
e7bcb6c45b9044ef237ee607b1dffb3358dc3807dac138a90827a5915871eee094462380a086b8415826e52dd072cb30ded9caed8a9cd0d9f3581834f7eb7f28
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Tasks\aa7637f2-933e-45cf-9086-6b6ac0adbc18.tmp Robocopy.exe File created C:\Windows\Tasks\JavaDeployReg.log Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_000_dotnet_runtime_6.0.27_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_001_dotnet_hostfxr_6.0.27_win_x64.msi.log Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240319182917.log Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240319182917_002_dotnet_host_8.0.2_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\msedge_installer.log Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240319182917_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\BroadcastMsg_1710873268.txt Robocopy.exe File created C:\Windows\Tasks\BroadcastMsg_1710873268.txt Robocopy.exe File created C:\Windows\Tasks\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt Robocopy.exe File opened for modification C:\Windows\Tasks\dd_vcredistUI366E.txt Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824.log Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240319182917_001_dotnet_hostfxr_8.0.2_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\wctB24A.tmp Robocopy.exe File created C:\Windows\Tasks\dd_vcredistUI366E.txt Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_001_dotnet_hostfxr_6.0.27_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\wct9C11.tmp Robocopy.exe File created C:\Windows\Tasks\{C5DFAF50-6C25-47CA-B046-291FAC4519C0} - OProcSessId.dat Robocopy.exe File created C:\Windows\Tasks\wct97C.tmp Robocopy.exe File created C:\Windows\Tasks\wctB24A.tmp Robocopy.exe File opened for modification C:\Windows\Tasks\aria-debug-4692.log Robocopy.exe File opened for modification C:\Windows\Tasks\FCICZEBD-20240319-1835.log Robocopy.exe File created C:\Windows\Tasks\FCICZEBD-20240319-1835a.log Robocopy.exe File opened for modification C:\Windows\Tasks\jawshtml.html Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824.log Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_002_dotnet_host_6.0.27_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\wct97C.tmp Robocopy.exe File opened for modification C:\Windows\Tasks\JavaDeployReg.log Robocopy.exe File opened for modification C:\Windows\Tasks\jusched.log Robocopy.exe File opened for modification C:\Windows\Tasks\ca3bf03d-d23a-44af-8874-77c43c477df5.tmp Robocopy.exe File created C:\Windows\Tasks\dd_vcredistMSI363D.txt Robocopy.exe File opened for modification C:\Windows\Tasks\dd_vcredistUI363D.txt Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft .NET Framework 4.7.2 Setup_20240319_182754776.html Robocopy.exe File opened for modification C:\Windows\Tasks\wct4E1B.tmp Robocopy.exe File created C:\Windows\Tasks\wct9C11.tmp Robocopy.exe File created C:\Windows\Tasks\chrome_installer.log Robocopy.exe File opened for modification C:\Windows\Tasks\dd_vcredistMSI363D.txt Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_000_dotnet_runtime_6.0.27_win_x64.msi.log Robocopy.exe File created C:\Windows\Tasks\msedge_installer.log Robocopy.exe File created C:\Windows\Tasks\cv_debug.log Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_002_dotnet_host_6.0.27_win_x64.msi.log Robocopy.exe File created C:\Windows\Tasks\wctE9B4.tmp Robocopy.exe File opened for modification C:\Windows\Tasks\wmsetup.log Robocopy.exe File created C:\Windows\Tasks\wmsetup.log Robocopy.exe File opened for modification C:\Windows\Tasks\cv_debug.log Robocopy.exe File opened for modification C:\Windows\Tasks\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt Robocopy.exe File opened for modification C:\Windows\Tasks\FCICZEBD-20240319-1835a.log Robocopy.exe File created C:\Windows\Tasks\AdobeSFX.log Robocopy.exe File created C:\Windows\Tasks\jusched.log Robocopy.exe File created C:\Windows\Tasks\Microsoft .NET Framework 4.7.2 Setup_20240319_182754776.html Robocopy.exe File created C:\Windows\Tasks\wct4E1B.tmp Robocopy.exe File opened for modification C:\Windows\Tasks\a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149.lnk Robocopy.exe File created C:\Windows\Tasks\a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149.lnk Robocopy.exe File opened for modification C:\Windows\Tasks\chrome_installer.log Robocopy.exe File created C:\Windows\Tasks\dd_vcredistMSI366E.txt Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240319182917_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\aa7637f2-933e-45cf-9086-6b6ac0adbc18.tmp Robocopy.exe File created C:\Windows\Tasks\aria-debug-4692.log Robocopy.exe File opened for modification C:\Windows\Tasks\dd_vcredistMSI366E.txt Robocopy.exe File created C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240319182824_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240319182917_002_dotnet_host_8.0.2_win_x64.msi.log Robocopy.exe File opened for modification C:\Windows\Tasks\AdobeSFX.log Robocopy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 2292 Robocopy.exe Token: SeRestorePrivilege 2292 Robocopy.exe Token: SeSecurityPrivilege 2292 Robocopy.exe Token: SeTakeOwnershipPrivilege 2292 Robocopy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4604 2112 cmd.exe 96 PID 2112 wrote to memory of 4604 2112 cmd.exe 96 PID 4604 wrote to memory of 2292 4604 cmd.exe 97 PID 4604 wrote to memory of 2292 4604 cmd.exe 97
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a8ae10b43cbf4e3344e0184b33a699b19a29866bc1e41201ace1a995e8ca3149.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "robocopy . C:\Windows\Tasks /NODCOPY /NFL /NDL /NJH /NJS /NC /NS /NP > nul & start C:\Windows\Tasks\CCleanerReactivator.exe > nul"2⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\Robocopy.exerobocopy . C:\Windows\Tasks /NODCOPY /NFL /NDL /NJH /NJS /NC /NS /NP3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4976 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:81⤵PID:4484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58