Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/04/2024, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
PO0424024.exe
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
PO0424024.exe
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
PO0424024.exe
-
Size
814KB
-
MD5
192be7ac2833574aafeeea8e0cd52380
-
SHA1
264298e6ebda222d48c0185c1ad168c51c0dc133
-
SHA256
19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452
-
SHA512
3301b3f0e8f8f71de13cdf22dee89cfa1a74f6df0e1831018a2bf2725977edbccdb8b4baddb0ec8288a7faafb979a8040ce5bdb9ffababb40a039d2b657edd9f
-
SSDEEP
24576:1R1WMVUu9FCfSwNZAXJ7oaOJdF+mJ312Zj:H4MVUuviFNZ0E1Jl2t
Score
7/10
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1596 takeown.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3152 set thread context of 4024 3152 PO0424024.exe 97 PID 4024 set thread context of 3300 4024 PO0424024.exe 57 PID 4024 set thread context of 1596 4024 PO0424024.exe 102 PID 1596 set thread context of 3300 1596 takeown.exe 57 PID 1596 set thread context of 5028 1596 takeown.exe 103 -
description ioc Process Key created \Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 takeown.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 4024 PO0424024.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4024 PO0424024.exe 3300 Explorer.EXE 3300 Explorer.EXE 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe 1596 takeown.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3152 wrote to memory of 4024 3152 PO0424024.exe 97 PID 3152 wrote to memory of 4024 3152 PO0424024.exe 97 PID 3152 wrote to memory of 4024 3152 PO0424024.exe 97 PID 3152 wrote to memory of 4024 3152 PO0424024.exe 97 PID 3152 wrote to memory of 4024 3152 PO0424024.exe 97 PID 3152 wrote to memory of 4024 3152 PO0424024.exe 97 PID 3300 wrote to memory of 1596 3300 Explorer.EXE 102 PID 3300 wrote to memory of 1596 3300 Explorer.EXE 102 PID 3300 wrote to memory of 1596 3300 Explorer.EXE 102 PID 1596 wrote to memory of 5028 1596 takeown.exe 103 PID 1596 wrote to memory of 5028 1596 takeown.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\PO0424024.exe"C:\Users\Admin\AppData\Local\Temp\PO0424024.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\PO0424024.exe"C:\Users\Admin\AppData\Local\Temp\PO0424024.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4024
-
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe"2⤵
- Modifies file permissions
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:5028
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3428