Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
16/07/2024, 00:43
240716-a232nsxckr 1016/07/2024, 00:41
240716-a16q6szdmc 1016/07/2024, 00:38
240716-azamcazcpc 1015/07/2024, 20:46
240715-zkpv6a1dlh 10Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 20:46
Behavioral task
behavioral1
Sample
0928f36599b47ba66582d1f5a5cb6fb0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0928f36599b47ba66582d1f5a5cb6fb0N.exe
Resource
win10v2004-20240709-en
General
-
Target
0928f36599b47ba66582d1f5a5cb6fb0N.exe
-
Size
23KB
-
MD5
0928f36599b47ba66582d1f5a5cb6fb0
-
SHA1
bef519e4db670bbea44d8cba6cbf104050ae551d
-
SHA256
7833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
-
SHA512
edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e
-
SSDEEP
384:/oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZI2:Y7O89p2rRpcnuY
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3568 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 0928f36599b47ba66582d1f5a5cb6fb0N.exe -
Executes dropped EXE 1 IoCs
pid Process 32 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe Token: 33 32 server.exe Token: SeIncBasePriorityPrivilege 32 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1284 wrote to memory of 32 1284 0928f36599b47ba66582d1f5a5cb6fb0N.exe 86 PID 1284 wrote to memory of 32 1284 0928f36599b47ba66582d1f5a5cb6fb0N.exe 86 PID 1284 wrote to memory of 32 1284 0928f36599b47ba66582d1f5a5cb6fb0N.exe 86 PID 32 wrote to memory of 3568 32 server.exe 87 PID 32 wrote to memory of 3568 32 server.exe 87 PID 32 wrote to memory of 3568 32 server.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3568
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD50928f36599b47ba66582d1f5a5cb6fb0
SHA1bef519e4db670bbea44d8cba6cbf104050ae551d
SHA2567833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
SHA512edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e