Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-fr
  • resource tags

    arch:x64arch:x86image:win11-20240709-frlocale:fr-fros:windows11-21h2-x64systemwindows
  • submitted
    20/07/2024, 08:54

General

  • Target

    Panel.exe

  • Size

    12.1MB

  • MD5

    85afedf22ca7d0561be4443e854459a7

  • SHA1

    1fec08de68672a302f0df40ff30b22cee4d18057

  • SHA256

    130a2379f8f07cec2cd9935bdf67bfcfbb977327f89f017dc16f19efc871d864

  • SHA512

    e5229c4e67bc7d4ef8b53c94cfd017833797ecb52a93d71e9770ae50aaaa8e3e6c9b6433389f85255c2fe92bf94bdf1f6d1c49a01ac0809d7c8ccdb8c07dce03

  • SSDEEP

    393216:+A+bVvdvbtsjjBbns3JX08gNghF5tAVsQsaBMvBVvrsV4ojavjdTbvosw+z6VVq1:+A+bVvdvbtsjjBbns3JX08gNghF5tAV8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4572
    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4468
    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4892
    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

    Filesize

    1KB

    MD5

    c7eb6cc6ed42aa4d66b34cc8574c8449

    SHA1

    be40237fc6355f40e35812ac68322827f49151cc

    SHA256

    dba6de21c58e1179f115af4732bd8e291831cd5bfb879444c5d7109bcf72743b

    SHA512

    6133c0fdfd97d22c5273cc09c43991c939421515558b40afdd4628fb65b734f67861910485c4cf0df2ad9bb5f244afdf5074fbe5858164af20d9121530b5edf9

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    10KB

    MD5

    605569224afd9f1770eb9729da87be95

    SHA1

    959244c7a33bec1903439de3310f9a0d57561924

    SHA256

    cfa7d041b326734b56cea4549e6a6897e16bc5bda95665758879c2919b722768

    SHA512

    75659d6e46a1f62542970a5718ce320ac5b634b7e4f1a49ac20cc3aa8b9bd39db536bdb5b0e18ab6136e7901cec370a45a1ce8efdaac05f3e39c3ab2d3a4a890

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    10KB

    MD5

    f9c4f8d7739744b8ce2d1484f91ff266

    SHA1

    4327ac3116a0c41cd72f1b3bb8172aa382a292df

    SHA256

    3e7ef6fc55b0a603ba98160ce46a32c33f509c4fd7816cc287cd0ce8f4da898e

    SHA512

    4ee11a003200b6ad332e0f2d6a9b84abe96a1d312bfedda7e0d30ceafed9a38480e7e3015266c9fbcca6aa537fd12e37715f2306b21060467778c64a8ad070b0

  • memory/1420-0-0x00007FFFD5E43000-0x00007FFFD5E45000-memory.dmp

    Filesize

    8KB

  • memory/1420-1-0x000001D430E30000-0x000001D431A44000-memory.dmp

    Filesize

    12.1MB

  • memory/1420-2-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

    Filesize

    10.8MB

  • memory/1420-29-0x00007FFFD5E43000-0x00007FFFD5E45000-memory.dmp

    Filesize

    8KB

  • memory/1420-30-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

    Filesize

    10.8MB

  • memory/4572-3-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

    Filesize

    10.8MB

  • memory/4572-4-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

    Filesize

    10.8MB

  • memory/4572-6-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

    Filesize

    10.8MB

  • memory/4572-7-0x00007FFFD5E40000-0x00007FFFD6902000-memory.dmp

    Filesize

    10.8MB