Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe
Resource
win10v2004-20240508-en
General
-
Target
cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe
-
Size
78KB
-
MD5
62a9734fff3c70800eb7ebfe22c159f2
-
SHA1
dbb793db6a0c8ff572648d00cbfd4ed3f04d379c
-
SHA256
cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f
-
SHA512
6a9fc3afc31939fe9a82328b0de93ecd023556fb960386c1e987edac00efbff7d1261888d9e96f5aaaef1a3a1f3c62e24d0af363c89e198ba2d3c4233885f823
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWO6wHNt:GhfxHNIreQm+HitwHNt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3468 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe File created C:\Windows\SysWOW64\¢«.exe cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe File created C:\Windows\SysWOW64\notepad¢¬.exe cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe File created C:\Windows\system\rundll32.exe cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253558" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253558" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3468 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 3468 rundll32.exe 3468 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4376 wrote to memory of 3468 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 85 PID 4376 wrote to memory of 3468 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 85 PID 4376 wrote to memory of 3468 4376 cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe"C:\Users\Admin\AppData\Local\Temp\cda6cf771a14fcbb4b3ce9e5be5492d2f099061affa8b5d8a20687fd865a281f.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5cf368ba2a4708ecbfb7b8facdbad135d
SHA1500eb1209d60f7978849593386d17f972125686b
SHA2561bb047d3e774d8a87c13af144e55cefcecd5bb24b699190f002a02130ada3079
SHA51252fb9b6199959fd4b1d9a8b37e35c6138fc7d3e1535517acd7440d78cba9ca9f6f6f0d84165ac8783264783f3c0f4122d58e35fc9ff575882600382b7c5694e7
-
Filesize
74KB
MD561f78a1e84a0aaec9bca22e6573e7026
SHA1a8df3b9a3734673455d6536f94278e3c8f6546d8
SHA256df8465e00005548118b1834b7966553905fa0a4f85420030807ec381cb705006
SHA51225188741d2b6144904d061871cce45f3cc6cc11e8175a122486314e623c950630d5f630fbd263f136993e2b127a92d297fdbea00e6be94276359fdd276338dc3