Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/04/2024, 12:37
240417-pths4afc45 817/04/2024, 12:37
240417-ptg7kafc43 817/04/2024, 12:36
240417-ptcbbafc34 817/04/2024, 12:36
240417-ptbpsafc29 817/04/2024, 12:36
240417-pta39afc28 816/04/2024, 13:44
240416-q1vxnsda7z 8Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
17/04/2024, 12:36
General
-
Target
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
-
Size
5.3MB
-
MD5
63552c60caeefe5f2d0e4028b3cc65d3
-
SHA1
dbed3040d53495a6afda01bfb8399376792eb48c
-
SHA256
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
-
SHA512
caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
-
SSDEEP
98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\~tlCC4F.tmpC:\Users\Admin\AppData\Local\Temp\~tlCC4F.tmp3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5268b890dae39e430e8b127909067ed96
SHA135939515965c0693ef46e021254c3e73ea8c4a2b
SHA2567643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c
SHA512abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb
-
Filesize
1KB
MD525b20391137be191190a7e0ad7d4d16f
SHA13bcf32e209fe4d385eb48c8977a9114533c86d6a
SHA256ccac288eb7e10339ccd5d4d97c4bca8722ee8d8f293fc54ec83e468fbbc20da1
SHA5128560cb3494fb2f5121e27ba6861fe93dc388270f29f26682e4fde2c40ae5323a9887eabbc2ef55287fe24634006eceb9c88aa8385de41a1407dcf82f9432cec1
-
Filesize
1KB
MD507d8e464679c0efee6b3b9506757603d
SHA144f2bfc6f6e840294b605b10bdc970cc07fa3606
SHA2567418547094386c2104ab2599e4332f60ab1e5c87927cb41f1ae37abe3cb92bfa
SHA512ce76f02077e73741ba3d5fe12b523dd5c66ad6b6c981337649c6fc0a72cbbc0d7e5c13a462bd009318c16132631ec79f412445e1d88fbd1075c0bf12b37626b1
-
Filesize
1KB
MD562959df62ecea4d5a75cbb8e98459796
SHA180f0b42dd2da11f1953fd2fe5d66c387d56c9359
SHA256471c2e25775d8c60eae9c5d0726a2c2551c384eb8415e95eeed07e8ea58bd422
SHA51286b378e83fc23d50ca3106d0952ea3dc81af6ac984b4f547cf6befc1789425fef0ac46a9bab12105a15aaf11c193d570b9d418717af32017589f3ffdb177a693
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
Filesize
2.6MB
MD58c29dca81612f559ac2e9aa5012896e4
SHA1e7b504c8be6ae987ced54380dc2a34d03c613ef7
SHA256b8ac5707fb24e123ee2bb53e97cfb166b3e86f1ee46b36bef7c41cf0f58047fd
SHA5127c910b5c97dc3f556d35c9b48dd5ea4c4b55827bb66b508347c63650ad744f3992280df808a187f06daede1895347c46787fd110ba2015f92a927ab1f650a98c
-
Filesize
14.9MB
MD55a59ba5e60de2a79398d6c997efb9ef1
SHA10d21362f48464a54117f3c8f663bed2c630f83a0
SHA256ccfd00cdabb93c6b8a3a551f0b3983b013814583feba0eba2c24e416be53a9c0
SHA512acfba24fbdca3f0f55957ba3f82e0364dd2bed7feb002eb5ad721193f46838c45e5a30f7602b7be970853c519ca1888d17f4b1162111187f59908ee82e792f46
-
Filesize
5.3MB
MD563552c60caeefe5f2d0e4028b3cc65d3
SHA1dbed3040d53495a6afda01bfb8399376792eb48c
SHA25664e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
SHA512caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
5.0MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB