Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05/07/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
ORDEN DE COMPRA URGENTEfdp..exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ORDEN DE COMPRA URGENTEfdp..exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
ORDEN DE COMPRA URGENTEfdp..exe
Resource
win11-20240704-en
General
-
Target
ORDEN DE COMPRA URGENTEfdp..exe
-
Size
2.4MB
-
MD5
fea126096e142649211027c6edbb9832
-
SHA1
e5e259235d3d77065918b3c4c369f9d74f1868d7
-
SHA256
950a5c5455b3d7a4ee27ff5bc7cea2ade2d507770a3cc15106018bfedae9ca52
-
SHA512
1f50c406c59fa74b95d97596a04b2cc132ede28bbe00c306aaa1bd3056942713f99aa5e5cf93022d652abb2fcacf7d6e24feec4e572a9aaff64368d1b0d28293
-
SSDEEP
12288:SSR2wX/utnvc69mP51M1nkPpVys8b5V29HxJu5YF9Iv3dosUg7JZtY:SSHuRc69mP/M5kmL/aHxJZIv3W42
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ORDEN DE COMPRA URGENTEfdp..exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-4106386276-4127174233-3637007343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sc.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\04DPCFAXYRV = "C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" sc.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4612 powershell.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ORDEN DE COMPRA URGENTEfdp..exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ORDEN DE COMPRA URGENTEfdp..exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2412 set thread context of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 3040 set thread context of 3392 3040 wmplayer.exe 54 PID 3040 set thread context of 2812 3040 wmplayer.exe 81 PID 2812 set thread context of 3392 2812 sc.exe 54 PID 2812 set thread context of 3724 2812 sc.exe 82 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2812 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \Registry\User\S-1-5-21-4106386276-4127174233-3637007343-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 3040 wmplayer.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3040 wmplayer.exe 3392 Explorer.EXE 3392 Explorer.EXE 2812 sc.exe 2812 sc.exe 2812 sc.exe 2812 sc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4612 powershell.exe Token: SeShutdownPrivilege 3392 Explorer.EXE Token: SeCreatePagefilePrivilege 3392 Explorer.EXE Token: SeShutdownPrivilege 3392 Explorer.EXE Token: SeCreatePagefilePrivilege 3392 Explorer.EXE Token: SeShutdownPrivilege 3392 Explorer.EXE Token: SeCreatePagefilePrivilege 3392 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2412 wrote to memory of 4612 2412 ORDEN DE COMPRA URGENTEfdp..exe 76 PID 2412 wrote to memory of 4612 2412 ORDEN DE COMPRA URGENTEfdp..exe 76 PID 2412 wrote to memory of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 2412 wrote to memory of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 2412 wrote to memory of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 2412 wrote to memory of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 2412 wrote to memory of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 2412 wrote to memory of 3040 2412 ORDEN DE COMPRA URGENTEfdp..exe 78 PID 3392 wrote to memory of 2812 3392 Explorer.EXE 81 PID 3392 wrote to memory of 2812 3392 Explorer.EXE 81 PID 3392 wrote to memory of 2812 3392 Explorer.EXE 81 PID 2812 wrote to memory of 3724 2812 sc.exe 82 PID 2812 wrote to memory of 3724 2812 sc.exe 82 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ORDEN DE COMPRA URGENTEfdp..exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTEfdp..exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTEfdp..exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTEfdp..exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3040
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Launches sc.exe
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3724
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a