Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe
Resource
win10v2004-20240508-en
General
-
Target
fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe
-
Size
82KB
-
MD5
d1b3dcad86a122f2f0f72198bec7b8e6
-
SHA1
f6f4d5206d815abee8d95f75aff239465107bfa8
-
SHA256
fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504
-
SHA512
31909d3962390688220434f72d7794826fbd3d26602630957cb9a05adc107e3f5b9fdca1bd51e79f0861d01644dfe2578bf2d91b75cdb8d5ade0082bab0fa180
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOXeMwY:GhfxHNIreQm+HiueMwY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4992 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe File created C:\Windows\SysWOW64\¢«.exe fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe File created C:\Windows\SysWOW64\notepad¢¬.exe fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe File created C:\Windows\system\rundll32.exe fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717615777" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717615777" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4992 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 4992 rundll32.exe 4992 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4992 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 86 PID 3568 wrote to memory of 4992 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 86 PID 3568 wrote to memory of 4992 3568 fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe"C:\Users\Admin\AppData\Local\Temp\fb2a529cdc5b906d5145b015e2d6e5fc1191b8da5a0a2f56786e6824ada19504.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5ce172635c50140a866b9151a142138c7
SHA14ca1102c2f9808c62c5f1747600b24bafedcfc95
SHA25691a687ba44d1aa538607c77adc14a95648ee5ca3cb057ff2c1418cd3250a27c7
SHA51289a0d1fbe112f511e4fb782dc9c10d08ce4b0afbd918e39723a699117c4670fc61f10da4e2df2a434690c2fb797a1dd2bca159003f3337e5066f4f3e0817bb1e
-
Filesize
78KB
MD5ac66d67c777b542a1bd01f9ed4e51c22
SHA1b87ffeea1ed29e045202cc876e11d6553e13374f
SHA2562108cf7c6184f78c126281cc2269d8d24897aaea36d32cb79aa797b76ee7d42c
SHA5123465863430234a751dedf76277a22413609e874e583a2c8fd6c5b700e1f626ca4f1c30fb4d7d7ec41d7abfaad9e2093fdb176d8d882c5884c170edf825d26567