Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
2df807a290d3c5994e51f223d7c1a5d0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2df807a290d3c5994e51f223d7c1a5d0N.exe
Resource
win10v2004-20240704-en
General
-
Target
2df807a290d3c5994e51f223d7c1a5d0N.exe
-
Size
237KB
-
MD5
2df807a290d3c5994e51f223d7c1a5d0
-
SHA1
73d2c017077e28a9d1789331fac1638287782e88
-
SHA256
8ec6916adfac9da627a7dc82e3bcb34c792501a74da35e0c9181d1a16345f661
-
SHA512
30c0cd841cfe5e45725710608ed75cd9dee0ac4375a1756a343316e657d336693c0186592f5e43aa29cfd1137765550b2b99efa0480d008056d9f192b30f96a3
-
SSDEEP
6144:AD8okEvTyoZVOgd2QZiw5NLclL5orfQH:CsjCF2QZiOU+4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1136 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f16d308d = "C:\\Windows\\apppatch\\svchost.exe" 2df807a290d3c5994e51f223d7c1a5d0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f16d308d = "C:\\Windows\\apppatch\\svchost.exe" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 2df807a290d3c5994e51f223d7c1a5d0N.exe File opened for modification C:\Windows\apppatch\svchost.exe 2df807a290d3c5994e51f223d7c1a5d0N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1136 svchost.exe 1136 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4616 2df807a290d3c5994e51f223d7c1a5d0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1136 4616 2df807a290d3c5994e51f223d7c1a5d0N.exe 85 PID 4616 wrote to memory of 1136 4616 2df807a290d3c5994e51f223d7c1a5d0N.exe 85 PID 4616 wrote to memory of 1136 4616 2df807a290d3c5994e51f223d7c1a5d0N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df807a290d3c5994e51f223d7c1a5d0N.exe"C:\Users\Admin\AppData\Local\Temp\2df807a290d3c5994e51f223d7c1a5d0N.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD56a2c0f639afe59a41a5cf7bf87c21149
SHA1aed92fe9f2e049fdb31312c7c21fc5e8049b3960
SHA2563a80316b432f6055e6f4c0cab5cd13aae95c67d87e08202f26a88ef6bcd615a2
SHA512ef7e8af71c9f180b20421f6808bc62be6d71d1f7f52f462fbe7195fe4730c770e779e10c62802471da76558aa0940df304f039c7411aeb142071d5c07169dce2