Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
31bd70f5afc...20.exe
windows10-2004-x64
1020d5ad811e...b7.exe
windows10-2004-x64
102ca6e4b470...97.exe
windows10-2004-x64
1030323f682e...18.exe
windows10-2004-x64
10426e1b8066...18.exe
windows10-2004-x64
1043ea4b5927...9e.exe
windows10-2004-x64
1044ba27c950...f2.exe
windows10-2004-x64
106e35231281...45.exe
windows10-2004-x64
107cac44d1ec...c4.exe
windows10-2004-x64
10823db2b88d...40.exe
windows10-2004-x64
10a884418225...db.exe
windows10-2004-x64
10c68d91a00f...d2.exe
windows10-2004-x64
10cabcad649e...d3.exe
windows7-x64
10cabcad649e...d3.exe
windows10-2004-x64
10cb4c64011d...ef.exe
windows10-2004-x64
10d55f431b8e...57.exe
windows10-2004-x64
10dea00ebf60...e0.exe
windows10-2004-x64
10e017c199a6...9b.exe
windows10-2004-x64
10e01acda385...7b.exe
windows10-2004-x64
10e46b62442d...14.exe
windows10-2004-x64
10ef7029b98b...78.exe
windows10-2004-x64
10Analysis
-
max time kernel
128s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 09:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
44ba27c950b0c14f429cb6252215fa6bdf9cb6c714a1890cbaae75274f91f4f2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6e352312813a28290ff0ff1a92702c185aae40663ba027e0a0c2d464d283d345.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
823db2b88de38daac96f8e746abe924341117f170be5cd8a57a2db86d001bc40.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
cb4c64011df6d9448d6e9f657a89d6cc8dfd2b81fc8262bccfab2f05465c39ef.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e01acda3856cc169ddd84def2f4c60a6487d82da3d3c35333bff09986229bd7b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
e46b62442d214e617c5a6224fef70a4e5ed02b730b85396408e198e85f21eb14.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
ef7029b98b2432c74d1512668109e659b6f7e89d2d4469a291c54309ecec0878.exe
Resource
win10v2004-20240508-en
General
-
Target
426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe
-
Size
652KB
-
MD5
a8b9734365073ce340b1123741d71abd
-
SHA1
ba40a124883de4244aa8c1c389e94ddb9fddead6
-
SHA256
426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18
-
SHA512
0f34f2c85ea88f4a6b440889df26087036a8802d8ea04ba3a5a1ec3db4745007806778aa24a1b45bb2db1902b841fd35099081b55daa9576d2b79e5636eaa76a
-
SSDEEP
12288:8Mrcy9031jOhVjzy5AfppTmgmbdSqEfEFoGeKaHsUPkiD:AysWVfySppTmgcjqftrPkiD
Malware Config
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral5/memory/4532-18-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral5/memory/4532-21-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral5/memory/4532-19-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
pid Process 348 Fo4qa29.exe 2072 1HG66Ze2.exe 3748 2qj8314.exe 3400 3QC27mb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Fo4qa29.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2072 set thread context of 4500 2072 1HG66Ze2.exe 85 PID 3748 set thread context of 4532 3748 2qj8314.exe 87 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3QC27mb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3QC27mb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3QC27mb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4500 AppLaunch.exe 4500 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4500 AppLaunch.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 112 wrote to memory of 348 112 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe 83 PID 112 wrote to memory of 348 112 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe 83 PID 112 wrote to memory of 348 112 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe 83 PID 348 wrote to memory of 2072 348 Fo4qa29.exe 84 PID 348 wrote to memory of 2072 348 Fo4qa29.exe 84 PID 348 wrote to memory of 2072 348 Fo4qa29.exe 84 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 2072 wrote to memory of 4500 2072 1HG66Ze2.exe 85 PID 348 wrote to memory of 3748 348 Fo4qa29.exe 86 PID 348 wrote to memory of 3748 348 Fo4qa29.exe 86 PID 348 wrote to memory of 3748 348 Fo4qa29.exe 86 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 3748 wrote to memory of 4532 3748 2qj8314.exe 87 PID 112 wrote to memory of 3400 112 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe 88 PID 112 wrote to memory of 3400 112 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe 88 PID 112 wrote to memory of 3400 112 426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe"C:\Users\Admin\AppData\Local\Temp\426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3400
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request144.107.17.2.in-addr.arpaIN PTRResponse144.107.17.2.in-addr.arpaIN PTRa2-17-107-144deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.171:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 09:42:47 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.a73d3e17.1716457367.2d61ad87
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.61.62.23.in-addr.arpaIN PTRResponse171.61.62.23.in-addr.arpaIN PTRa23-62-61-171deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.14.97.104.in-addr.arpaIN PTRResponse17.14.97.104.in-addr.arpaIN PTRa104-97-14-17deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
23.62.61.171:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.4kB 6.3kB 16 11
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
144.107.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
171.61.62.23.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
17.14.97.104.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD561b6b786efacea6912a815b7692dac72
SHA15a864261a958ba9355d0fa20741e149f70a7918d
SHA25699f45274606fe0acdf6c4bddbe53bdb8a3fd4a329bea222426e0a1547a8ff61d
SHA512164e3de7001b6a7c8cfe1694cc7d3fbf43e69a9d6bf31c30b411acf22bfb98e00dd8491eba9a754172069fc2edd0be59ea39ce489ebe6553f11ef07bcb6c5f3e
-
Filesize
528KB
MD5f96632ad5ee676201c55b0218382157e
SHA12f57c77ea32769b52924056899028fbfb5aa4a12
SHA256753e3b49d354b22afb771940598e5a459d157140c496fff1874e978755ff0325
SHA5120dc9730fb1210a5cbfcd435f6a6a50d5920f6d8c9ef128919b5d53192ff5ae86a054c208bb248c2cb72caa64dd5ea853cc7429bf3dbaa06259f97f0699187a11
-
Filesize
869KB
MD590a7fb448ebb8f342918c8650dd05df5
SHA1d0bcec2d5576a34be3f4c0fd5f0bcdfdb94a29d5
SHA2563701b6e633b701ec911cb1ba0cc786e848a4a35d062355edfa5799a3548ce78d
SHA512c5e7a143fe61af01681a4b1cd5930f72dff03b88727252f655224c07619fc397be57a5662d65a2a4c46f6edd9561e84433823201b7d0478b184b4ccf8ed799c5
-
Filesize
1.0MB
MD57325f35f9a59903a210a5c41c2c74e67
SHA125ed8bda08cb3b91633641f6bab9e1e73b3460b9
SHA25698891268879a8e945effc53f4d65e4d9b623d2088b2fc2b34676ebffe039d7bf
SHA512c73dc673eaba673f542689e21b9811c36f13ec84cf7a4690d89b79a6a7102c4e281e6b2b45153f83ae9b23a8b0177d6d0868fc37d21ac14a2402aa3eed29acfb