Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 23:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe
Resource
win7-20240508-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe
-
Size
7.2MB
-
MD5
68039ea285456b07636828f963515e22
-
SHA1
d0a086a3dc0cdf1eb05219f909a4cd234c57dfd5
-
SHA256
717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a
-
SHA512
184fdae7214d880573519be8b8b0a0aa84de5714093fb036757f994a98163e432eaed1ccf7797fda25c446fc168c37b6d756cc1ec374669e3721c645aeb0188a
-
SSDEEP
98304:47O82rQfXHndMdQIvJ0Cd/C5jKRbAlAQAzNwpUJx4O875RjfxIrfvoYJMZx68owi:4CQP6QUJ0s/CWAOpWi6RrxYvD+68owi
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 28 IoCs
resource yara_rule behavioral2/memory/2300-1-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-22-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-48-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-47-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-46-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-44-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-42-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-40-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-38-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-36-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-34-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-32-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-30-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-28-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-26-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-24-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-20-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-18-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-16-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-14-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-12-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-10-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-8-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-6-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-5-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-4-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-3-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral2/memory/2300-100-0x0000000010000000-0x000000001003E000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2664 xl.exe -
resource yara_rule behavioral2/memory/2300-1-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-48-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-46-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2300-100-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\CNGHO\desktop.ini 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File created F:\CNGHO\desktop.ini 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\D: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\F: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\O: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\P: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\W: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\X: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\Z: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\E: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\U: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\H: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\M: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\A: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\B: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\S: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\K: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\R: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\Q: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\Y: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\G: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\L: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\N: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\V: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\I: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe File opened (read-only) \??\J: 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\IESettingSync 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5000 WMIC.exe Token: SeSecurityPrivilege 5000 WMIC.exe Token: SeTakeOwnershipPrivilege 5000 WMIC.exe Token: SeLoadDriverPrivilege 5000 WMIC.exe Token: SeSystemProfilePrivilege 5000 WMIC.exe Token: SeSystemtimePrivilege 5000 WMIC.exe Token: SeProfSingleProcessPrivilege 5000 WMIC.exe Token: SeIncBasePriorityPrivilege 5000 WMIC.exe Token: SeCreatePagefilePrivilege 5000 WMIC.exe Token: SeBackupPrivilege 5000 WMIC.exe Token: SeRestorePrivilege 5000 WMIC.exe Token: SeShutdownPrivilege 5000 WMIC.exe Token: SeDebugPrivilege 5000 WMIC.exe Token: SeSystemEnvironmentPrivilege 5000 WMIC.exe Token: SeRemoteShutdownPrivilege 5000 WMIC.exe Token: SeUndockPrivilege 5000 WMIC.exe Token: SeManageVolumePrivilege 5000 WMIC.exe Token: 33 5000 WMIC.exe Token: 34 5000 WMIC.exe Token: 35 5000 WMIC.exe Token: 36 5000 WMIC.exe Token: SeIncreaseQuotaPrivilege 5000 WMIC.exe Token: SeSecurityPrivilege 5000 WMIC.exe Token: SeTakeOwnershipPrivilege 5000 WMIC.exe Token: SeLoadDriverPrivilege 5000 WMIC.exe Token: SeSystemProfilePrivilege 5000 WMIC.exe Token: SeSystemtimePrivilege 5000 WMIC.exe Token: SeProfSingleProcessPrivilege 5000 WMIC.exe Token: SeIncBasePriorityPrivilege 5000 WMIC.exe Token: SeCreatePagefilePrivilege 5000 WMIC.exe Token: SeBackupPrivilege 5000 WMIC.exe Token: SeRestorePrivilege 5000 WMIC.exe Token: SeShutdownPrivilege 5000 WMIC.exe Token: SeDebugPrivilege 5000 WMIC.exe Token: SeSystemEnvironmentPrivilege 5000 WMIC.exe Token: SeRemoteShutdownPrivilege 5000 WMIC.exe Token: SeUndockPrivilege 5000 WMIC.exe Token: SeManageVolumePrivilege 5000 WMIC.exe Token: 33 5000 WMIC.exe Token: 34 5000 WMIC.exe Token: 35 5000 WMIC.exe Token: 36 5000 WMIC.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2664 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 81 PID 2300 wrote to memory of 2664 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 81 PID 2300 wrote to memory of 2664 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 81 PID 2300 wrote to memory of 1524 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 82 PID 2300 wrote to memory of 1524 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 82 PID 2300 wrote to memory of 1524 2300 717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe 82 PID 1524 wrote to memory of 5000 1524 cmd.exe 84 PID 1524 wrote to memory of 5000 1524 cmd.exe 84 PID 1524 wrote to memory of 5000 1524 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe"C:\Users\Admin\AppData\Local\Temp\717ecce3057adfe6d40172158d6334a0177064d24fea6b3b78481a8c5ee4076a.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\xl.exeC:\Users\Admin\AppData\Local\Temp\xl.exe2⤵
- Executes dropped EXE
PID:2664
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get Manufacturer/value2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get Manufacturer/value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427B
MD5d4f2205ab045a47877764f78840ab40c
SHA1cb8b63d9c7f68026088517e98f6ca04cfecaba0f
SHA2566e70857d2726ad583f9fe6373532fa27235a4736aaa2a8ee890c996d83f5b65f
SHA512358d80377a3b58beedde8c4c3ef0918cd24ee5eab39df310e4621eefdde79c6c49a5da5e699a06c5f22b157f85d163bccdf79748ac67e3a2c56c6a36c7b717f1
-
Filesize
2.2MB
MD5a1e1b658a9dc29cc30d0371e9fa94e12
SHA1a56a24fe5245643af3ec9a12875d59dd44e6d5fa
SHA2567c7b24362e3529bbaa540b9885bd4922ccfa85951054af5aa610f6cbe415bb45
SHA512f38f47608deb58fcba0f5639632651df76983e169cf752c8b03313cb46bdacb4d9d5285580ac3244c6a4584da69e2bb61c8897de82aa60026bc21d92bf60b807