Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/04/2024, 12:37
240417-pths4afc45 817/04/2024, 12:37
240417-ptg7kafc43 817/04/2024, 12:36
240417-ptcbbafc34 817/04/2024, 12:36
240417-ptbpsafc29 817/04/2024, 12:36
240417-pta39afc28 816/04/2024, 13:44
240416-q1vxnsda7z 8Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
17/04/2024, 12:36
General
-
Target
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
-
Size
5.3MB
-
MD5
63552c60caeefe5f2d0e4028b3cc65d3
-
SHA1
dbed3040d53495a6afda01bfb8399376792eb48c
-
SHA256
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
-
SHA512
caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
-
SSDEEP
98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\~tlE12F.tmpC:\Users\Admin\AppData\Local\Temp\~tlE12F.tmp3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cd5b15b46b9fe0d89c2b8d351c303d2a
SHA1e1d30a8f98585e20c709732c013e926c7078a3c2
SHA2560a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a
SHA512d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7
-
Filesize
1KB
MD508780c2b38dfe5b4a4d66b64b21e248e
SHA10bd089cd64d6ad092408e94b1900fede998e57ba
SHA256de85bf4d7891113231a13ec7a68e3abc08dd0abe307f034efd57b6e594f55a2b
SHA51211b642c5b4d18e27a9732528072147177870e57c8b1964b0b098b802c6f6f4a6dc21381cc334d7bed245b74d9952400720224ee6f2de3a893c4b1aae17af5c8f
-
Filesize
1KB
MD570195821da95053d486898e72ca39861
SHA14a2f0acb403ee4e6924ccbf883cfbf692fb7ea6b
SHA256f9db9a2c6dae797aae3469c244a37a5ffafde932a8d8749a63d4ad2ac404b5ad
SHA512f0459bb977fc5ca4ff78edf5420ad3553d66cfd6231aeae4c80ae12ffd6858fe140da95554b0c81d487c31e8b7b1d66bacc6da0582262cbf8465e94b6569139b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
Filesize
2.6MB
MD58c29dca81612f559ac2e9aa5012896e4
SHA1e7b504c8be6ae987ced54380dc2a34d03c613ef7
SHA256b8ac5707fb24e123ee2bb53e97cfb166b3e86f1ee46b36bef7c41cf0f58047fd
SHA5127c910b5c97dc3f556d35c9b48dd5ea4c4b55827bb66b508347c63650ad744f3992280df808a187f06daede1895347c46787fd110ba2015f92a927ab1f650a98c
-
Filesize
12.4MB
MD57cfd40218d8fa06ca99d65ab7d000950
SHA1795d9ca6e9348a9d0c8d0668ca1c9b61783e1926
SHA256c54aaa54b29887a1ab5a21e62a5be0a53a4a99e9baf3226625f9023b11ce1fe0
SHA512cf9dc76f971ac715e58a112f4b65027fa88af025f114670f2b6a985d2b44a068902f89e033842423ded0dc6a0789d459e228917798fb844669e70b7309787f69
-
Filesize
5.3MB
MD563552c60caeefe5f2d0e4028b3cc65d3
SHA1dbed3040d53495a6afda01bfb8399376792eb48c
SHA25664e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
SHA512caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
5.0MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB