Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
RobloxScreenShot20240816_143121489.png
Resource
win10v2004-20240802-en
Errors
General
-
Target
RobloxScreenShot20240816_143121489.png
-
Size
767KB
-
MD5
34e193a8213126c80788e468e60d491a
-
SHA1
3c2cef83427a0ae53c7928f4a51a4b740aaed246
-
SHA256
99768802974637b8f9aa0abc825fe2f8b3fb42a2be83c203cd16e2d27f92e828
-
SHA512
21f15bb505a10f7df209a8de86de818c726081bae4e734786e9a5a48e8c59070edb7536a7c66b8f69a30df4d119a1e9dcaf2ec0a5778bee0bac4764c9d9c254f
-
SSDEEP
12288:TAydlJqixZJt2I912L1Bb0wUijRjkb4AMCT1ZxE7VuiVFDIzEd8y1STVv:r5ZJtB9125Bb2eeXMuHE7Vu+/d8yMv
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{17479868-F120-4143-842C-ACC81AF097E3} svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1424 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1424 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 1272 osk.exe 4472 LogonUI.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RobloxScreenShot20240816_143121489.png1⤵PID:112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:81⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2724
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1272
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2b4 0x3381⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3922055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c