Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 03:37
Static task
static1
Behavioral task
behavioral1
Sample
4c16c5a6200165d3cf90a5f645e26ab0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4c16c5a6200165d3cf90a5f645e26ab0N.exe
Resource
win10v2004-20240730-en
General
-
Target
4c16c5a6200165d3cf90a5f645e26ab0N.exe
-
Size
212KB
-
MD5
4c16c5a6200165d3cf90a5f645e26ab0
-
SHA1
b35f2c6730414ee91dfbe6c410dc04bf0d146196
-
SHA256
a4e303fb9284ffcb108ad545f8f7203cf796aa1a02f906ba45a6faedea8390e8
-
SHA512
7269a0b03613fd7666ea599fb34160ce13e462914e6ad0a97f3ecc49ae254472fcf18b52859edccd04d7d0e62289aaa05ef575c0be80fb2176d4123e5000673e
-
SSDEEP
6144:zob34ERMS/H7YAVsobrVn5G4E3Hi96mbQzJWFO8Omw4G:EboEj/8ASWM4Ki96/zqIKG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4080 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\40c1be1a = "\x12\v°™\x10rªÐ!Bðfœ`Ñ«r»Btš6å\u0090>\tV\"JÌ”w7:\x1fÀ¾Ö´)´&\x06a¶\x11ˆZ)Ü´\x1a/ùv–HŽ^9bòùÞ8Z™„\t¶éw¤RçñıÖé~žœ€Ùn|\bŸÎ4—‡ÂG9Öd¦ñáyñ\x14xA1™¾$¾ŸRT\x06@jrÞ¹éño9_‚" 4c16c5a6200165d3cf90a5f645e26ab0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\40c1be1a = "\x12\v°™\x10rªÐ!Bðfœ`Ñ«r»Btš6å\u0090>\tV\"JÌ”w7:\x1fÀ¾Ö´)´&\x06a¶\x11ˆZ)Ü´\x1a/ùv–HŽ^9bòùÞ8Z™„\t¶éw¤RçñıÖé~žœ€Ùn|\bŸÎ4—‡ÂG9Öd¦ñáyñ\x14xA1™¾$¾ŸRT\x06@jrÞ¹éño9_‚" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 4c16c5a6200165d3cf90a5f645e26ab0N.exe File opened for modification C:\Windows\apppatch\svchost.exe 4c16c5a6200165d3cf90a5f645e26ab0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c16c5a6200165d3cf90a5f645e26ab0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe 4080 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4728 wrote to memory of 4080 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 85 PID 4728 wrote to memory of 4080 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 85 PID 4728 wrote to memory of 4080 4728 4c16c5a6200165d3cf90a5f645e26ab0N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c16c5a6200165d3cf90a5f645e26ab0N.exe"C:\Users\Admin\AppData\Local\Temp\4c16c5a6200165d3cf90a5f645e26ab0N.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
593B
MD53b03d93d3487806337b5c6443ce7a62d
SHA193a7a790bb6348606cbdaf5daeaaf4ea8cf731d0
SHA2567392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30
SHA512770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88
-
Filesize
593B
MD5926512864979bc27cf187f1de3f57aff
SHA1acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b
-
Filesize
24KB
MD509829a268a1707103a336019400941e0
SHA1c6ea26b43f487b8aab31fc20c2caf3e2264ad4b3
SHA256ec26b6c29665045d14203df68bf939c2e2ebcc8c69ca395bed9b33e13af0d252
SHA512ea57c9d9528aba5a4186193d357d4b4247f5d02bbb98886c1e0b04925f878666435c75c4269e481ee70b57a26df1404e0d67ae5c91d87ad8abf29364a044f4ac
-
Filesize
41KB
MD5da6ec9c78f02868295d7a43a99425c78
SHA14071d478ac11d7dc93441d618fcbf4b80d290a8c
SHA25679278b0934c6afc5f5d87db8d0fe782957ec08f6e9dbe891b6520b246ec02353
SHA5128186f4c58e936397f417e9234b5b86c94a4e2afa18a0e75155187a8f79b22a80298f5a661795fea506c6fcd135bae17cbd30bafab4302eedd627700eb69cad02
-
Filesize
212KB
MD529ccd6b0b79d9a67e94179e9c9dbc74b
SHA168dc17e008017a8a288c7b689963c1a00db89bbb
SHA25671e2fb5c207af6e0603c9a0d8791fe652dfc8cae9f49e01e6072878875c2d812
SHA512bc6cc669c9a8f296aee3c81fcb2b08a327e0f68c77b3aa543e09046dddd0a34615c7e1805fbacceb03ad4db32894cf2159db05a31009b1c5f8d6f548895b02f6