Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 17:55
Static task
static1
Behavioral task
behavioral1
Sample
cbeb96fb1e02d1f50a6d5319ec6eb460N.exe
Resource
win7-20240903-en
General
-
Target
cbeb96fb1e02d1f50a6d5319ec6eb460N.exe
-
Size
284KB
-
MD5
cbeb96fb1e02d1f50a6d5319ec6eb460
-
SHA1
d8e56d7321936f1b8aae77bb66ef16751f421dd7
-
SHA256
1aa212eb78cdffde7c302f586ce3d2849d79914f428f56988ee759c790604bb5
-
SHA512
be390a0e77480840d337b5417492eac468c43bb1c31a55e5051505c7c0315e8d1bbcd9b2163077d6a0b79393219b82159ed96cdae59354b48a5a0a9ba2c8ddbe
-
SSDEEP
6144:PtqYGLbcMQgKO3HTOnNRS4O23Ra/MzxDnunDbu:Ptqx5KO3zONkpwRGMNDEO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\JavaRE\\Update.exe" cbeb96fb1e02d1f50a6d5319ec6eb460N.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3996 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cbeb96fb1e02d1f50a6d5319ec6eb460N.exe -
Executes dropped EXE 2 IoCs
pid Process 3548 Update.exe 2608 Update.exe -
resource yara_rule behavioral2/memory/396-3-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/396-4-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/396-5-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/396-7-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/396-6-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/396-8-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/396-71-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-76-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-77-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-78-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-82-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-83-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-81-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-80-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-79-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-85-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-84-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-86-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-89-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-90-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-91-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-92-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-93-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-94-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-95-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/2608-96-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "C:\\JavaRE\\Update.exe" cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "C:\\JavaRE\\Update.exe" Update.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1048 set thread context of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 3548 set thread context of 2608 3548 Update.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2340 cmd.exe 680 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cbeb96fb1e02d1f50a6d5319ec6eb460N.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 680 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2608 Update.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeSecurityPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeTakeOwnershipPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeLoadDriverPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeSystemProfilePrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeSystemtimePrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeProfSingleProcessPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeIncBasePriorityPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeCreatePagefilePrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeBackupPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeRestorePrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeShutdownPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeDebugPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeSystemEnvironmentPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeChangeNotifyPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeRemoteShutdownPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeUndockPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeManageVolumePrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeImpersonatePrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeCreateGlobalPrivilege 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: 33 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: 34 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: 35 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: 36 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe Token: SeIncreaseQuotaPrivilege 2608 Update.exe Token: SeSecurityPrivilege 2608 Update.exe Token: SeTakeOwnershipPrivilege 2608 Update.exe Token: SeLoadDriverPrivilege 2608 Update.exe Token: SeSystemProfilePrivilege 2608 Update.exe Token: SeSystemtimePrivilege 2608 Update.exe Token: SeProfSingleProcessPrivilege 2608 Update.exe Token: SeIncBasePriorityPrivilege 2608 Update.exe Token: SeCreatePagefilePrivilege 2608 Update.exe Token: SeBackupPrivilege 2608 Update.exe Token: SeRestorePrivilege 2608 Update.exe Token: SeShutdownPrivilege 2608 Update.exe Token: SeDebugPrivilege 2608 Update.exe Token: SeSystemEnvironmentPrivilege 2608 Update.exe Token: SeChangeNotifyPrivilege 2608 Update.exe Token: SeRemoteShutdownPrivilege 2608 Update.exe Token: SeUndockPrivilege 2608 Update.exe Token: SeManageVolumePrivilege 2608 Update.exe Token: SeImpersonatePrivilege 2608 Update.exe Token: SeCreateGlobalPrivilege 2608 Update.exe Token: 33 2608 Update.exe Token: 34 2608 Update.exe Token: 35 2608 Update.exe Token: 36 2608 Update.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 3548 Update.exe 2608 Update.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 1048 wrote to memory of 396 1048 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 91 PID 396 wrote to memory of 2072 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 93 PID 396 wrote to memory of 2072 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 93 PID 396 wrote to memory of 2072 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 93 PID 2072 wrote to memory of 3996 2072 cmd.exe 96 PID 2072 wrote to memory of 3996 2072 cmd.exe 96 PID 2072 wrote to memory of 3996 2072 cmd.exe 96 PID 396 wrote to memory of 3548 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 97 PID 396 wrote to memory of 3548 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 97 PID 396 wrote to memory of 3548 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 97 PID 396 wrote to memory of 2340 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 98 PID 396 wrote to memory of 2340 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 98 PID 396 wrote to memory of 2340 396 cbeb96fb1e02d1f50a6d5319ec6eb460N.exe 98 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 3548 wrote to memory of 2608 3548 Update.exe 100 PID 2340 wrote to memory of 680 2340 cmd.exe 101 PID 2340 wrote to memory of 680 2340 cmd.exe 101 PID 2340 wrote to memory of 680 2340 cmd.exe 101 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3996 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbeb96fb1e02d1f50a6d5319ec6eb460N.exe"C:\Users\Admin\AppData\Local\Temp\cbeb96fb1e02d1f50a6d5319ec6eb460N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\cbeb96fb1e02d1f50a6d5319ec6eb460N.exe"C:\Users\Admin\AppData\Local\Temp\cbeb96fb1e02d1f50a6d5319ec6eb460N.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3996
-
-
-
C:\JavaRE\Update.exe"C:\JavaRE\Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\JavaRE\Update.exe"C:\JavaRE\Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\cbeb96fb1e02d1f50a6d5319ec6eb460N.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:680
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:81⤵PID:4464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5cbeb96fb1e02d1f50a6d5319ec6eb460
SHA1d8e56d7321936f1b8aae77bb66ef16751f421dd7
SHA2561aa212eb78cdffde7c302f586ce3d2849d79914f428f56988ee759c790604bb5
SHA512be390a0e77480840d337b5417492eac468c43bb1c31a55e5051505c7c0315e8d1bbcd9b2163077d6a0b79393219b82159ed96cdae59354b48a5a0a9ba2c8ddbe