Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/04/2024, 12:37
240417-pths4afc45 817/04/2024, 12:37
240417-ptg7kafc43 817/04/2024, 12:36
240417-ptcbbafc34 817/04/2024, 12:36
240417-ptbpsafc29 817/04/2024, 12:36
240417-pta39afc28 816/04/2024, 13:44
240416-q1vxnsda7z 8Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17/04/2024, 12:36
General
-
Target
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
-
Size
5.3MB
-
MD5
63552c60caeefe5f2d0e4028b3cc65d3
-
SHA1
dbed3040d53495a6afda01bfb8399376792eb48c
-
SHA256
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
-
SHA512
caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
-
SSDEEP
98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\~tlCE76.tmpC:\Users\Admin\AppData\Local\Temp\~tlCE76.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645114⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645115⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\~tlA8AA.tmpC:\Users\Admin\AppData\Local\Temp\~tlA8AA.tmp5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645116⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD50256bd284691ed0fc502ef3c8a7e58dc
SHA1dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42
-
Filesize
944B
MD5a2c8179aaa149c0b9791b73ce44c04d1
SHA1703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA5122e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3
-
Filesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
Filesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
393KB
MD59dbdd43a2e0b032604943c252eaf634a
SHA19584dc66f3c1cce4210fdf827a1b4e2bb22263af
SHA25633c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86
SHA512b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1
-
Filesize
385KB
MD5e802c96760e48c5139995ffb2d891f90
SHA1bba3d278c0eb1094a26e5d2f4c099ad685371578
SHA256cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c
SHA51297300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0
-
Filesize
2.6MB
MD58c29dca81612f559ac2e9aa5012896e4
SHA1e7b504c8be6ae987ced54380dc2a34d03c613ef7
SHA256b8ac5707fb24e123ee2bb53e97cfb166b3e86f1ee46b36bef7c41cf0f58047fd
SHA5127c910b5c97dc3f556d35c9b48dd5ea4c4b55827bb66b508347c63650ad744f3992280df808a187f06daede1895347c46787fd110ba2015f92a927ab1f650a98c
-
Filesize
13.1MB
MD5d5bef969b1f550a8227a2b55716b2d97
SHA111594b1b37f5eb739565f3b7a9c23879fbe6a43e
SHA25656498a5bf00be8a973d690021a49ccf4b5d054ff83d22053b3c0b8d5b29376ca
SHA5121b4a8e23e7329743fa1443ddf0be78fac0699369802a79b1586c749daccfe23f55787ab90da0d53b3523dea23da9bc53f0e1c25d1eb8ad6d2c8353784e9f2379
-
Filesize
5.3MB
MD563552c60caeefe5f2d0e4028b3cc65d3
SHA1dbed3040d53495a6afda01bfb8399376792eb48c
SHA25664e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
SHA512caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
5.0MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB