Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 09:19
Static task
static1
Behavioral task
behavioral1
Sample
422cb26a147b61b4c0c35b605cfdeb70N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
422cb26a147b61b4c0c35b605cfdeb70N.exe
Resource
win10v2004-20240802-en
General
-
Target
422cb26a147b61b4c0c35b605cfdeb70N.exe
-
Size
211KB
-
MD5
422cb26a147b61b4c0c35b605cfdeb70
-
SHA1
c3e2bb8274bab51c49a90f997151d1678a8fe1c9
-
SHA256
b9761fe14ffb685403f490608933c0a1d0756b31f21821f50f09d10b76cf161e
-
SHA512
075cb8271428a4b58038102c50d67e2b286b24c5af6fa3b4997cb3c8448e17ba17d053aac382e602ace4555af6ae04d407c489b3f0cec065c959eab6626fbc57
-
SSDEEP
6144:EmKVGe1XIpQiU/ma3MB8hH2Tkp6bYnWcZVol0N5TzQ3:+71YpQiU/RcO1VQInVob
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 912 svchost.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1ed2149f = "C:\\Windows\\apppatch\\svchost.exe" 422cb26a147b61b4c0c35b605cfdeb70N.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lygyvuj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupydeq.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyhiz.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 422cb26a147b61b4c0c35b605cfdeb70N.exe File opened for modification C:\Windows\apppatch\svchost.exe 422cb26a147b61b4c0c35b605cfdeb70N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422cb26a147b61b4c0c35b605cfdeb70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe 912 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2192 422cb26a147b61b4c0c35b605cfdeb70N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2192 422cb26a147b61b4c0c35b605cfdeb70N.exe Token: SeSecurityPrivilege 2192 422cb26a147b61b4c0c35b605cfdeb70N.exe Token: SeSecurityPrivilege 912 svchost.exe Token: SeSecurityPrivilege 912 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2192 wrote to memory of 912 2192 422cb26a147b61b4c0c35b605cfdeb70N.exe 85 PID 2192 wrote to memory of 912 2192 422cb26a147b61b4c0c35b605cfdeb70N.exe 85 PID 2192 wrote to memory of 912 2192 422cb26a147b61b4c0c35b605cfdeb70N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\422cb26a147b61b4c0c35b605cfdeb70N.exe"C:\Users\Admin\AppData\Local\Temp\422cb26a147b61b4c0c35b605cfdeb70N.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
211KB
MD52804450954f848a62870ba780cf35611
SHA155af05cc9e58cb2fd5bb8e6be066b3858b9399d0
SHA25665ed7b766519a034022826331dd2cb138f5a38307146f76f530a030cf407c3fd
SHA512a1d0f60d023a22685b18b57c203376a917c9b866028563cc59c36c55d35805121de508f4c4c792c069c5944e4f95e9ba208b5e060f21e3673095a8f1d8258396