Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Resource
win10v2004-20240709-en
General
-
Target
5be6e2c83e2ed19e4b2c9ea83b734860N.exe
-
Size
497KB
-
MD5
5be6e2c83e2ed19e4b2c9ea83b734860
-
SHA1
f1e4b6ef5b36d2098b652fd2ee5c2bad936ef7dc
-
SHA256
140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896
-
SHA512
c051251bb6d8dd4e79aaa50f1a7450e3954c2168ebd68c3589cb2a03c24183d1c920925aa4727609aa2b1924f2ff9a48379273084b44755916bd9d011b140f03
-
SSDEEP
6144:yiNjjdOCJnUNKMEPDGeoo1HyisWW4g0QTxbGctE6Jm20tdVgWwAidpNCgrBF:TjjwULQoN84XQT08JoVgWwAkAQ
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000700000002346a-20.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2428 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 3984 Regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCLGYY.EXE = "C:\\Users\\svchost.exe" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\G: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\I: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\N: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\P: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\R: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\S: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\U: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\H: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\K: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\M: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\Q: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\T: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\V: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\E: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\J: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\L: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\CCLGYY.EXE 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File created C:\Windows\SysWOW64\Ms7002.dll 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\CCLGYY.EXE \"%1\"" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\CCLGYY.EXE" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\CCLGYY.EXE \"%1\"" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\CCLGYY.EXE %1" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\VQH.EXE %1" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2428 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3984 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 87 PID 2508 wrote to memory of 3984 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 87 PID 2508 wrote to memory of 3984 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 87 PID 2508 wrote to memory of 2428 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 88 PID 2508 wrote to memory of 2428 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 88 PID 2508 wrote to memory of 2428 2508 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3984
-
-
C:\PerfLogs\svchost.exeC:\PerfLogs\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
497KB
MD5a73e59c29dd7cb063c1b8abfa6850f09
SHA1c82051f7cb6e3900dad881c316354338ac1a4692
SHA256f9dad7643ee17f2f27dc1375aef425aa7eb5ae6d5345100b7d14d4424c11ffae
SHA5129ad22e96477c9f2440a6864136c6d1174eb56b4d019df74978c65d2764ec0e984fd7b2b9c41e17527b7ef899a12a3c1b1a9a930c33a7e2fd76c975ab3d70ae37
-
Filesize
497KB
MD54c88ef5b4caa97c36ffc6a3377e9765c
SHA17aa4ddf3a384286173d7f24ff0050343020c0c15
SHA25622f6c7e7811a7e9496d754f22a520e5275b32453a83535a732c41ed99a15145e
SHA512bdd6ebb85f069b5340781f9cb02cc18b972fb1794c664a4012351dd110139be84d9bb293fc2620fd65e95b9ff5256005f384402c0fdbb303d58debd116ed8473
-
Filesize
52KB
MD5876a2a99b81968f5b26e3cbe12063d2b
SHA17afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1
-
Filesize
205B
MD52f389f0dca36e22c0811db7d260f740c
SHA162077f3a13d559730db541c11f155079d37d5e0b
SHA2569aa5af3786fe23809bdda6c6ac7b8fbe0ae20fc9da1c28b82bb9b7516ffae52b
SHA5121e0457183b5bf9061311bfcb2c714f9d006ea4b71beff43e065426d1eddcb5f98991dbf9922586b9e59c36638956ff6491244816a8097d01f05a2a99eb0e9e1f