Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 20:08
Static task
static1
Behavioral task
behavioral1
Sample
03faea08976b2ec65bf9ee79703dc770N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
03faea08976b2ec65bf9ee79703dc770N.exe
Resource
win10v2004-20240709-en
General
-
Target
03faea08976b2ec65bf9ee79703dc770N.exe
-
Size
27KB
-
MD5
03faea08976b2ec65bf9ee79703dc770
-
SHA1
6169f9048c91655730e96206b9a7832173263457
-
SHA256
6b620d72542aa0284b9fda80cd2c860592473ca610be8729e70091baad32c14b
-
SHA512
55d3ba2b36aaa8fcd5f38acb083a190c3d80fea5d5fc4eecd4b284a51bc7bf998243dacf2e1ab5b6f23a5d9b5c40d3497d0ed739d8f922b7ab4cdf2515007da2
-
SSDEEP
768:PVEHJqjHyGvwFylDpulVSQJrE/2QmlCYZUbrv:PH2nylslwHCCLP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2260 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 03faea08976b2ec65bf9ee79703dc770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 03faea08976b2ec65bf9ee79703dc770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 03faea08976b2ec65bf9ee79703dc770N.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe 03faea08976b2ec65bf9ee79703dc770N.exe File created C:\Windows\SysWOW64\¢«.exe 03faea08976b2ec65bf9ee79703dc770N.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 03faea08976b2ec65bf9ee79703dc770N.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 03faea08976b2ec65bf9ee79703dc770N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe 03faea08976b2ec65bf9ee79703dc770N.exe File created C:\Windows\system\rundll32.exe 03faea08976b2ec65bf9ee79703dc770N.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv 03faea08976b2ec65bf9ee79703dc770N.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 03faea08976b2ec65bf9ee79703dc770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 03faea08976b2ec65bf9ee79703dc770N.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1721592630" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 03faea08976b2ec65bf9ee79703dc770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1721592630" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 03faea08976b2ec65bf9ee79703dc770N.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 03faea08976b2ec65bf9ee79703dc770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 03faea08976b2ec65bf9ee79703dc770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe 4556 03faea08976b2ec65bf9ee79703dc770N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2260 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4556 03faea08976b2ec65bf9ee79703dc770N.exe 2260 rundll32.exe 2260 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4556 wrote to memory of 2260 4556 03faea08976b2ec65bf9ee79703dc770N.exe 87 PID 4556 wrote to memory of 2260 4556 03faea08976b2ec65bf9ee79703dc770N.exe 87 PID 4556 wrote to memory of 2260 4556 03faea08976b2ec65bf9ee79703dc770N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\03faea08976b2ec65bf9ee79703dc770N.exe"C:\Users\Admin\AppData\Local\Temp\03faea08976b2ec65bf9ee79703dc770N.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD53525971c9a8c03f4ea3a424ac1426773
SHA1bff6de73d1545a0e6ff5e6f57ddd81dd699d93d8
SHA256f7c8fe4fb3814af6aadfcf2a9a04cccae469d054401633fe05d93824fd3f61d0
SHA5120653b5c9c29abdf55671c328fd38cc1b4b78ed3b5fb0707e0ce2c635fd76a588bc330d4ec13c1ff3744ab532fc8739eef349efa33d3b57f0f59b589e298187ed
-
Filesize
31KB
MD5897bed4be785c7e93543fa8eca6ca3fc
SHA1d157d165b82ed1c459df278e2607734e883a04b6
SHA256c2ee60c8e97c916a422879de22c248d0b1c0b5444bed72d223ec36f842fed9c9
SHA5128bca0b958815b6ca3bbb8d27955c4f2959df90e669444569822543374e43613dae22f0ea250f8c851fd0e327573c5223086c21d232af56135e3a4e2ef1020db2