Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28/07/2024, 09:32
Behavioral task
behavioral1
Sample
windows.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
windows.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
windows.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
windows.exe
Resource
win11-20240709-en
General
-
Target
windows.exe
-
Size
913KB
-
MD5
4c30c907584baa7c1931a3a83ba69149
-
SHA1
09d3887d9895189a49930a61aea8c788b1ad1c0e
-
SHA256
afc180f84398fdf09969b61c538dd1b7d2259fba43b44a5ed00dac386df7a046
-
SHA512
1f581850f9722153d760f6a0f125b71aae3b87546c851a26674cc37ec76b13e39f8abc93a77e1d32fdfe906fa80945fbfb9774cb002dadd922b629879c9246cc
-
SSDEEP
24576:1Eqr4MROxnF25bYmfFhQ3rZlI0AilFEvxHil71B:1EjMiz3rZlI0AilFEvxHi
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly\Desktop.ini windows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 1 0.tcp.eu.ngrok.io -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini windows.exe File opened for modification C:\Windows\assembly windows.exe File created C:\Windows\assembly\Desktop.ini windows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe 2064 windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2064 windows.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 4780 2064 windows.exe 75 PID 2064 wrote to memory of 4780 2064 windows.exe 75 PID 4780 wrote to memory of 1520 4780 csc.exe 77 PID 4780 wrote to memory of 1520 4780 csc.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgqs3dcz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC80C9.tmp"3⤵PID:1520
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f4f0ed8492c1ba383293b3729f136b6b
SHA10182dfd5963bd141863fce6ef37abb4b502edfee
SHA256f45a303a69b994b1b32dc54aa2b3036b194210a3be6f1dfddc9e8d79de2b4c91
SHA5128d9d861f788bd19668e6c7ef0990c056079bd3078854af76d267de636902281453bf28ae0d9f1fcc04a1be770b1cb8ce9ca4c580f7a1b4fb8cada397483a92cf
-
Filesize
76KB
MD5e1ea6243ac9742df669b09ad76d35db3
SHA1b3195d021cf23e44f64eba8e9bb1d7e4a5fc4182
SHA256736092a31b509eee5584d2e57fa4de948d6d7e6b9f961792f3b031f1ef71d1c5
SHA5128f5cae8722039c0c6e01d16447f6a6d308a5e8e3afc762f43682cc4181369a575b7a356799d88267c8ea318a5b8ad466d924849db7c06427d27555398d867991
-
Filesize
676B
MD5afe8f49ddf49565483551268b16e408d
SHA1e6e9149b22e61100ae1570d6dc661c30defc3d57
SHA2568e6641506096bd457900180bc6195ee9f5beffc53095c013bc86265a38ba99db
SHA51231accfda8236044087298ed65577a049b1052c437a153105b07a6efb6d9fdb5aec6b3a62890c1e0e6800b5e270e6890e34a5b40a1f52bf1c2cbf48bfda9da30c
-
Filesize
208KB
MD5f201c369bd623242f3289ff8ae83bf23
SHA1e428d3d830ffd01d3092268c31e9a05ffcac8b1e
SHA25685e622a42ea3dbe1d673f8b378837bf4019ad3176a3ff87328235d3d575fb1f5
SHA5128afb0240ad91863c8764a2e7dbfd8f74e4fd71c68b9c3753f948268542fe44789b7b84a32aae106ba057dcac89ff19dd6dd79e76097837b0c2642bfbbc5fa232
-
Filesize
349B
MD5cd2390773df697e4aee6ed93d3b34577
SHA19ec4b1f5664d889eff0aa03c69029b88229a0872
SHA256b982346865abd9939ca20e0957aaa562095b8a47e5f54f6e91813f8a3749e31e
SHA512a449f1f0402aeadfe4152d906d2a163f5131d7a1257f76c204ffd950b10319b9439a8773cfea77a83ade20144c5c06053143f54f4803842b287562f6c6da6bef