Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3b15bb6f089...fd.exe
windows10-1703-x64
10b349269e93...16.exe
windows10-1703-x64
3b349849a59...23.exe
windows10-1703-x64
b3f7df11dc...8c.exe
windows10-1703-x64
10b3f7f7bbc7...d0.exe
windows10-1703-x64
10b6f8f78085...05.exe
windows10-1703-x64
10b71794921e...51.exe
windows10-1703-x64
10c05c6e2434...8e.exe
windows10-1703-x64
10c8cc203f99...d2.exe
windows10-1703-x64
10c96fd5f1dd...40.exe
windows10-1703-x64
10cf0751df31...7d.exe
windows10-1703-x64
cf3610e817...5f.exe
windows10-1703-x64
5d191674c65...da.exe
windows10-1703-x64
5d559a80052...7c.exe
windows10-1703-x64
10d60229cbc2...b0.exe
windows10-1703-x64
10d78e74e4a3...22.exe
windows10-1703-x64
10d901b86714...43.exe
windows10-1703-x64
da760f61e0...56.exe
windows10-1703-x64
10e0d0a27648...61.exe
windows10-1703-x64
5e4d38d99f9...fc.exe
windows10-1703-x64
e5ad2b2fe9...be.exe
windows10-1703-x64
10e9724fe8d0...4b.exe
windows10-1703-x64
10ea3311758e...ad.exe
windows10-1703-x64
10eaf6bd6c1d...95.exe
windows10-1703-x64
10ebb147e6b3...ee.exe
windows10-1703-x64
ebd0168e06...16.exe
windows10-1703-x64
ecc88023ac...cd.exe
windows10-1703-x64
10f0502f754c...69.exe
windows10-1703-x64
10f164297bfa...de.exe
windows10-1703-x64
10f1ad160996...3b.exe
windows10-1703-x64
f4a5067973...6e.exe
windows10-1703-x64
10f86dd9321d...0e.exe
windows10-1703-x64
10Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
13/07/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
b15bb6f0892dc78e8cec312c97b78d00b59e60fd.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
b349269e933263ce9f1927be5742aa8b3d8d5516.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
b349849a596a335a3ce8facff3355881da481d23.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
b3f7df11dc0220159828667c89adb906df87688c.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
b3f7f7bbc77c46786b1c2be629a30c50c440bfd0.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
b6f8f780853fe7f05ae814728c8ff0e383913805.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
b71794921e0c21d4c4f68746314c37697c191451.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
c05c6e2434d7ff822833cf42308e6d3a2088878e.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
c8cc203f99a4d46c9408b748a1100cebe63052d2.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
cf0751df3192528fbc671a81d4518a5a9eae817d.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
cf3610e817c000061c5cb7ebfec7d22454720b5f.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
d191674c6559caaa0797f285a6b96514975c56da.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
d559a80052b000594c0077941d2f1a2879758b7c.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
d60229cbc27661327c07d899e5ed973589b29ab0.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
d78e74e4a3f526cfa82930cd5a832971a36fdd22.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
d901b86714b00ea5e46940b97694f55d4bdee743.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
da760f61e0f5026dbf1d1a610fa67a1d8b34b956.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
e4d38d99f93d367abc33edad79d33fe0646c3cfc.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
e5ad2b2fe9ae9b79559199e35a3d6f2c5e01f9be.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
e9724fe8d0bf8049646285445277bce9e0b1e14b.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
ea3311758ec34992d91b99f8f52c8e9d92b178ad.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
ebb147e6b369128c09e4c21dbc68cd13db7a4bee.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
ebd0168e063780117d41bac9a8eab0803686a116.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
ecc88023ac2f1e41852ebb47c5841ed66a14f0cd.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
f0502f754cbee4d0c6100e0f9366cfb87aca0b69.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
f164297bfae27da0440ccd0cb81fdb48fdcaa0de.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
f1ad1609968432a7d83efe379ee676628f97ea3b.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
f4a506797325ba974e553a421fd1974a1426956e.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
f86dd9321d7d4d5d9b2ff5b3a61871ae407c310e.exe
Resource
win10-20240404-en
windows10-1703-x64
General
-
Target
e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe
-
Size
258KB
-
MD5
7dd3e6ae26cab6c0b0e3a4c89d54aa7f
-
SHA1
e0d0a2764836786c7f0cee2d1fa5b30da73a5f61
-
SHA256
7b041cde211d98455249cf0d74b68be311b9d8a90cee098770075ad336a5b5c7
-
SHA512
94f6666b84b371d2f997cbc373f732092922b05ff5d93034beeef79fb07677ecb33343dbd34f4962d098d93a3857930fcb9bfd495f323d8f3d0fea9f0a378b98
-
SSDEEP
3072:ZLj/06/a80EfzCRVukTBLhTh3BOZOuCS1xiIvsXiS2gtyy7tQuua1WFx0v2vTH3K:Nj80a87fzzuPThb+PBpqtLx1+x0L
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bitsserver.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bitsserver.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 bitsserver.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat bitsserver.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bitsserver.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2464 set thread context of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 3424 set thread context of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3272 set thread context of 4564 3272 bitsserver.exe 77 PID 3164 set thread context of 1416 3164 bitsserver.exe 79 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bitsserver.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" bitsserver.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" bitsserver.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1416 bitsserver.exe 1416 bitsserver.exe 1416 bitsserver.exe 1416 bitsserver.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2496 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 2464 wrote to memory of 4664 2464 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 73 PID 4664 wrote to memory of 3424 4664 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 74 PID 4664 wrote to memory of 3424 4664 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 74 PID 4664 wrote to memory of 3424 4664 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 74 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3424 wrote to memory of 2496 3424 e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe 75 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 3272 wrote to memory of 4564 3272 bitsserver.exe 77 PID 4564 wrote to memory of 3164 4564 bitsserver.exe 78 PID 4564 wrote to memory of 3164 4564 bitsserver.exe 78 PID 4564 wrote to memory of 3164 4564 bitsserver.exe 78 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79 PID 3164 wrote to memory of 1416 3164 bitsserver.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"C:\Users\Admin\AppData\Local\Temp\e0d0a2764836786c7f0cee2d1fa5b30da73a5f61.exe"4⤵
- Suspicious behavior: RenamesItself
PID:2496
-
-
-
-
C:\Windows\SysWOW64\bitsserver.exeC:\Windows\SysWOW64\bitsserver.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\bitsserver.exeC:\Windows\SysWOW64\bitsserver.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\bitsserver.exe"C:\Windows\SysWOW64\bitsserver.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\bitsserver.exe"C:\Windows\SysWOW64\bitsserver.exe"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
-