Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe
Resource
win10v2004-20240412-en
General
-
Target
92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe
-
Size
216KB
-
MD5
2301a9913e02067864f513ac01e2794e
-
SHA1
cfc9e56f525cf3f82edfdadfe4fe210a76b76ef6
-
SHA256
92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40
-
SHA512
6316cd658aa6194cc860e21f8ccd36d269bc97e40e1222a5445235e683b3f34a53decdb949f197dd0386718ef04e06063a22228dc86228bd86450f5a587c0a91
-
SSDEEP
3072:f56VkkgUgXC7AdYzrV+Dljy/32ubwZ/qJH:oUFCkdYzrVolu/J0Z/O
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/2884-3-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2884-7-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2884-9-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2884-39-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2884-51-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/5068-54-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe -
Executes dropped EXE 3 IoCs
pid Process 3392 WindowsService.exe 5068 WindowsService.exe 4956 WindowsService.exe -
resource yara_rule behavioral2/memory/2884-3-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2884-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2884-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2884-39-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2884-51-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/5068-54-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3456 set thread context of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3392 set thread context of 5068 3392 WindowsService.exe 97 PID 3392 set thread context of 4956 3392 WindowsService.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe Token: SeDebugPrivilege 5068 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 3392 WindowsService.exe 5068 WindowsService.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 3456 wrote to memory of 2884 3456 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 91 PID 2884 wrote to memory of 2960 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 92 PID 2884 wrote to memory of 2960 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 92 PID 2884 wrote to memory of 2960 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 92 PID 2960 wrote to memory of 884 2960 cmd.exe 95 PID 2960 wrote to memory of 884 2960 cmd.exe 95 PID 2960 wrote to memory of 884 2960 cmd.exe 95 PID 2884 wrote to memory of 3392 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 96 PID 2884 wrote to memory of 3392 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 96 PID 2884 wrote to memory of 3392 2884 92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe 96 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 5068 3392 WindowsService.exe 97 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98 PID 3392 wrote to memory of 4956 3392 WindowsService.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe"C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe"C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSTQL.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f4⤵
- Adds Run key to start application
PID:884
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
PID:4956
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5f6a90c20834f271a907a4e2bc28184c2
SHA136c9d1602b74f622346fbb22693597d7889df48d
SHA25673f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA51239cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804
-
Filesize
216KB
MD5faed327a286e2e11654ef849054bd00b
SHA1d36155843ea46a283dfb62116a723a01673bfbaa
SHA256b2db1c349adc6ae0057228f92e1ccd0779cc98d53bc34ae489e25cc532db0719
SHA5120f727742e36e3a27b3bebe2fc91e50cb6e71f4f0afdd6919ea80cca0b0051fe37262e27ed7f210b58c47d3a8fc543e68446246cc0041fa54d6004a24d756b7b4