Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll
Resource
win10v2004-20240226-en
General
-
Target
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll
-
Size
1.1MB
-
MD5
f165e88e25102d19f8f2c955686ce88d
-
SHA1
cd678ad3cd82144c5861470abf4cc40820a0d831
-
SHA256
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1
-
SHA512
26c3f6e797b8cc9ff0a3b9c8031d67a0e0d70b76c23da452ca92824ca0bee552b83abcc69738759d5e88f0a218d9426206e390e5a9d5e385bb165712c6de3e2e
-
SSDEEP
6144:Ni05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:4rHGPv5SmptZDmUWuVZkxikdXcq
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "\"C:\\Users\\Admin\\AppData\\Roaming\\gT482P\\bdechangepin.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\9569\GamePanel.exe cmd.exe File opened for modification C:\Windows\system32\9569\GamePanel.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 996 schtasks.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\MWwAox1.cmd" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute Process not Found Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command Process not Found Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3108 rundll32.exe 3108 rundll32.exe 3108 rundll32.exe 3108 rundll32.exe 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3164 wrote to memory of 760 3164 Process not Found 92 PID 3164 wrote to memory of 760 3164 Process not Found 92 PID 3164 wrote to memory of 912 3164 Process not Found 93 PID 3164 wrote to memory of 912 3164 Process not Found 93 PID 3164 wrote to memory of 3660 3164 Process not Found 94 PID 3164 wrote to memory of 3660 3164 Process not Found 94 PID 3164 wrote to memory of 3652 3164 Process not Found 95 PID 3164 wrote to memory of 3652 3164 Process not Found 95 PID 3164 wrote to memory of 2800 3164 Process not Found 96 PID 3164 wrote to memory of 2800 3164 Process not Found 96 PID 3164 wrote to memory of 2616 3164 Process not Found 97 PID 3164 wrote to memory of 2616 3164 Process not Found 97 PID 3164 wrote to memory of 448 3164 Process not Found 98 PID 3164 wrote to memory of 448 3164 Process not Found 98 PID 3164 wrote to memory of 3812 3164 Process not Found 100 PID 3164 wrote to memory of 3812 3164 Process not Found 100 PID 3812 wrote to memory of 776 3812 cmd.exe 102 PID 3812 wrote to memory of 776 3812 cmd.exe 102 PID 3164 wrote to memory of 4820 3164 Process not Found 103 PID 3164 wrote to memory of 4820 3164 Process not Found 103 PID 3164 wrote to memory of 4136 3164 Process not Found 104 PID 3164 wrote to memory of 4136 3164 Process not Found 104 PID 3164 wrote to memory of 4292 3164 Process not Found 105 PID 3164 wrote to memory of 4292 3164 Process not Found 105 PID 3164 wrote to memory of 3876 3164 Process not Found 107 PID 3164 wrote to memory of 3876 3164 Process not Found 107 PID 3876 wrote to memory of 4092 3876 fodhelper.exe 108 PID 3876 wrote to memory of 4092 3876 fodhelper.exe 108 PID 4092 wrote to memory of 996 4092 cmd.exe 110 PID 4092 wrote to memory of 996 4092 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe1⤵PID:760
-
C:\Windows\system32\cleanmgr.exeC:\Windows\system32\cleanmgr.exe1⤵PID:912
-
C:\Windows\system32\WallpaperHost.exeC:\Windows\system32\WallpaperHost.exe1⤵PID:3660
-
C:\Windows\system32\provtool.exeC:\Windows\system32\provtool.exe1⤵PID:3652
-
C:\Windows\system32\LaunchTM.exeC:\Windows\system32\LaunchTM.exe1⤵PID:2800
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵PID:2616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rt9B.cmd1⤵PID:448
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"1⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"2⤵PID:776
-
-
C:\Windows\system32\DTUHandler.exeC:\Windows\system32\DTUHandler.exe1⤵PID:4820
-
C:\Windows\system32\GamePanel.exeC:\Windows\system32\GamePanel.exe1⤵PID:4136
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\5dAm9bi.cmd1⤵
- Drops file in System32 directory
PID:4292
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\MWwAox1.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Eofvjgiti" /SC minute /MO 60 /TR "C:\Windows\system32\9569\GamePanel.exe" /RL highest3⤵
- Creates scheduled task(s)
PID:996
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:5012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193B
MD5ad23f93f258aa0ed654a4530d592d38c
SHA1588a722136ac1e888a6361b97ac8d0127175c09a
SHA25616f3f71e5c95ac552073aa290547b07e46a9654727c379708038a758f15d34db
SHA512b46af54ae7028cc1ff15c1e34788ba5f27bfb2d5a36d92abf4043e3e462a580f23202e06c606fde75360e6a00648bb7814ac1f046c41616d43f1ee39e2c59887
-
Filesize
1.3MB
MD5497e02f8361d1a0f2601a4f87b7dd874
SHA1879cfce82adc3cb4cb58c717847b7a69fd777481
SHA25632e4b63cff23718f0b82486fb220584881a45583ffeff132fc607feccd7c8293
SHA51247320a4a34bc006f7da0e1b7d4ac1d64080404f067cbe5af9debdee97e6634bd5331e91ef713fd19b353fa3b330fc36ab4824ee04811db303795133593614f72
-
Filesize
129B
MD53071ff351ca6198e1a1a01b9692f3345
SHA10fece473ba23f22fdd303d7dd92a80c40515b5af
SHA256323547a4e220a0a432b50d0608abaa28bcb081ff93bd43974f0dbd7b89a40b2b
SHA5120d3cf2dd13db55512cda2c7165ca02c3c7407c2519ef00a881092a9562a775482491fae4a52e275b3177f6162f8491e5714517bdb8c0321c11c3f3d77dae147d
-
Filesize
1.1MB
MD511b756f01a2bf09165ee1a6636318c20
SHA19570ce74fc951d7c4521d0787c1b5a640f21ec80
SHA256c5f30dfe2846d725d768a84bb3aad7610616c94d4ce4f4a5451f3ee847254190
SHA512db2db09e5839d47d2d085ed6157dd8e0c31710b3ea21794855aa444c23d101135c2284b61e7047bd90c0413983f87340cad474006c641ca88aaddedc122e3eaa
-
Filesize
234B
MD513b59cf968048ccc46f512c24c7c3f96
SHA18d387c1ae5d241d9d42ca5b3b2e54ef84e8bfc0a
SHA25656f6407a8d87e722b4d67ac7fc023de1591bbb6a05c2e3399abf771417bc649b
SHA512ca44700dafae7482d3ecf2582ba071914ef97087c48504e3f2a624f22a32d61ecddbc40c100ad62f47e65bfcbe4b4e4eaac46cc5c5dc47ab3ebb5c40c1ddc6f8
-
Filesize
934B
MD5a82fe305e7fae5d7d90f8f0e55a265eb
SHA1ac3b820fb4bbd2d201f12e2b9ac14a5c7788202c
SHA256809ed4b95cae66a0f551c1b5bab76c36cb40a1e7912d051ed800de543df16b25
SHA512f1fbe72ba88d81b9b581c0f5110187ab4a747f2dd5f3aa629ddac101dac2312b8ad3903d090059d8f65854b92c7d82187e5f9a0e4834cc9d4b18989e202edc7c
-
Filesize
373KB
MD5601a28eb2d845d729ddd7330cbae6fd6
SHA15cf9f6f9135c903d42a7756c638333db8621e642
SHA2564d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA5121687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d