Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
09/06/2024, 21:25
General
-
Target
K.exe
-
Size
4.8MB
-
MD5
0b8e85bab4835b6ba09f3bdec902f72d
-
SHA1
1ad5d7ef259079a4b60964895e72ec004ca42199
-
SHA256
582acb10868ca768a7208e898610925eed53372cef01bf4a83e583d5b36323cd
-
SHA512
7e1dae2ffa6d7eef7738e2063e6b38b609f1c64c357dd547f85e01cf8defa8d2f9169d8369dff866b7bb8e5b06208fdae4efd1b966cf50cb7b6097fdcbea48bd
-
SSDEEP
98304:cJSZsz35aFxepAo7haa0Dooj9ghi1RebMIg9Cbk/V8dQXSNW:cjg4haaxojDIg9Cbk/V8dQXmW
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1e5eab58,0x7fff1e5eab68,0x7fff1e5eab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3528 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1812,i,703674495123088551,12276143106218926167,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\TestRestart.bat" "1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5f5965154e78267c4148ea73ec6ed9159
SHA1624fa4ec7625d0760a413f0992c31940ca036652
SHA256c3a54d0118a91401d0177d695e2eac724a7a0cabf33124fcf171c5c28852e6e8
SHA5124076a4b259f134b7fd04d93a5a644661b62655736e76ef61a499cc99063400303884084fdaaf996e7bf541aaba3abe5b7c15831de484ef3bf01a29bc3855fbf5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD52f6ee815dfdf3112fa5551eb002201dd
SHA10e32ab6951e85207afbc2608b476b03ca4b7b75d
SHA2569696082cba3a95ccf075d0ac56ffd7377365614f69fccad7bfbb30d484a27251
SHA512fa9f69e2a4d8faabbdaea8707d86362e06d0154ee74437bc3ebb824b1866041e29057572e240dc95fa0833d24d4f644293b7bd9d6bd87af6898e56eb5e73dc0d
-
Filesize
7KB
MD5ee3118d829a655c089b41cf7434c9ff4
SHA1ae3cd9df90773ee2a908c3b578a5cdb54e07774f
SHA2566f1df74af01ce0410cb499486069aeec711954b05fd05f3aa870d48eb8677639
SHA51286d9eb4b765a06193428fa241207636b37fdf30c6506741ed1577fcd99259cf219c3ead4fa37e07b2f7056715d7cdbf1d6dc48b83dec004e98c74cab48d3b72b
-
Filesize
16KB
MD54958ee45f81c2938f249f0dcbe6d40c8
SHA1421086d1152946a5a3e614e4869fca60821a08b3
SHA2568d43e0b86d205cea8caeaa9289b2e0d1adf19cc7d238d123412af959b8e38e53
SHA5123678a7d8438c354355c54b57721b02edabab75570d4bee00a79a8ebea0aac32f75083abe99a943531ffede1293695bf7e679e58c5301f1f034f04d36f0fffd8e
-
Filesize
263KB
MD5f905f2b40f25c3b308c0de258139c08c
SHA15867cd55c24d63039803413f8ccb1e8c32f66b0c
SHA2565e76939815c153183760003200a0a7447517e1f54b59ebab3c2ed59a1e1f47b5
SHA5122444d89cb9754a375e431dc6a375037d607d7699472556cee7c57e98fe2e8d997bce56e71ff84307659278fc808d2dd07050d70d5672c601323d613bf9e4052a
-
Filesize
10KB
MD52cb9e3f89741961748d38d15dfecc8fb
SHA111f89dfac73dfacb194fa01bf6e7fddb38c1f6d7
SHA256e76dcf1390543fde2ae6fd8263e90df10923df9dfe78a5fb588a50654577fd13
SHA51220557311d13320d2f7c8bfb99e49c8af30dbcbace0faaa5101f9ea893a017a55100bf2b3c466c9d9cfe4fa8a8affcef9223a870abbcf571492fa90abd0e748f2