Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe
-
Size
311KB
-
MD5
44508d7d25e5a3d394ad7199cb35a6af
-
SHA1
65e5c84c4b3ceef9a27a1dc2358c1d2726b335c2
-
SHA256
d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c
-
SHA512
2d3f785980de8273dac3d66bd379a52b2dc9aeab358063be90db1cc3eacbaeaaf1a024ef108e0797a43b92ed6ffdf7a8f0a8af8315dafa1f90f471a155200e6b
-
SSDEEP
6144:uY7BO63UKCweQ7Ovc93dRBsIpJwK8aWlIeD4d2WYcSA2MuLH1bJp:D7mECN3A2T5X
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" modey.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe -
Executes dropped EXE 1 IoCs
pid Process 376 modey.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /h" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /a" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /J" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /G" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /t" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /y" d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /g" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /e" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /V" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /Z" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /K" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /b" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /A" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /o" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /S" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /L" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /q" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /f" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /R" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /l" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /W" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /M" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /z" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /H" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /T" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /n" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /p" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /x" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /I" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /P" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /c" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /m" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /B" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /N" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /C" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /j" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /i" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /X" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /y" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /v" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /k" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /w" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /E" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /d" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /s" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /U" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /D" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /F" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /Q" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /r" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /Y" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /O" modey.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modey = "C:\\Users\\Admin\\modey.exe /u" modey.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1320 d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe 1320 d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe 376 modey.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1320 d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe 376 modey.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1320 wrote to memory of 376 1320 d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe 91 PID 1320 wrote to memory of 376 1320 d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe 91 PID 1320 wrote to memory of 376 1320 d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe"C:\Users\Admin\AppData\Local\Temp\d27f28076e97c63401e3397c8e2a7d945da13f2292da9a6c214b6a39dc432e6c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\modey.exe"C:\Users\Admin\modey.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
311KB
MD5616ef5b8c2f8b6f1a82cfa4918ff944f
SHA136069b316bc93e3c5f7da10cc1c9d2fde1b2625c
SHA2569843b5a11f029ce9e51436ecac7424e27cfde20d17bfab9dbea5a2d6fda04bbd
SHA5125d759256f1764a7bda61e5382d965afea66648a267b92f21c084d46ebe8e96bd108e41f264fa7a4ffb743a43b52de47234f44947d74d406f1b1019b6959fea3f