Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
563a35fcff50eeafb0754eca254a9050N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
563a35fcff50eeafb0754eca254a9050N.exe
Resource
win10v2004-20240802-en
General
-
Target
563a35fcff50eeafb0754eca254a9050N.exe
-
Size
348KB
-
MD5
563a35fcff50eeafb0754eca254a9050
-
SHA1
5f08aa965edce4215884cca8f9ae1a95dbcddd0b
-
SHA256
e0b0b1e77150b120f147fe696162507cfe4fb9f4e13734d66cef457a1a2724bd
-
SHA512
49b240b7de9936f0eae3e9250fc06609969039ad7e736b6a78f3f3ab55b65f78b1b2117f39c3b3cd99c46b5a67c572a5fd8ac4aa7a1d4c13d2406034acfebb78
-
SSDEEP
6144:EbpFMByWEhy9vBpHLnU+r/f79MzNtukvSodidiHlFE:E9y2hqbLnZr/5MJt5qZi/E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 563a35fcff50eeafb0754eca254a9050N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\2H0BFJ~1.EXE" backgroundTaskHost.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod backgroundTaskHost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 212 set thread context of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3976 212 WerFault.exe 85 2380 212 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 563a35fcff50eeafb0754eca254a9050N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 212 563a35fcff50eeafb0754eca254a9050N.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe 4712 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 212 563a35fcff50eeafb0754eca254a9050N.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 4712 212 563a35fcff50eeafb0754eca254a9050N.exe 95 PID 212 wrote to memory of 2492 212 563a35fcff50eeafb0754eca254a9050N.exe 98 PID 212 wrote to memory of 2492 212 563a35fcff50eeafb0754eca254a9050N.exe 98 PID 212 wrote to memory of 2492 212 563a35fcff50eeafb0754eca254a9050N.exe 98 PID 2492 wrote to memory of 4172 2492 cmd.exe 103 PID 2492 wrote to memory of 4172 2492 cmd.exe 103 PID 2492 wrote to memory of 4172 2492 cmd.exe 103 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4172 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\backgroundTaskHost.exe"backgroundTaskHost.exe"2⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\gbw6C40.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4172
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 17322⤵
- Program crash
PID:3976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 12362⤵
- Program crash
PID:2380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 212 -ip 2121⤵PID:3400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 212 -ip 2121⤵PID:4240
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD58982bab3e4786775f6f2e873b5b814e1
SHA10f05e6a9cba64820fc91b4e0eeeb4519477e55d4
SHA256696b825a8535bb076e7320a057ac32a9a1525f8648088d777d2d3524c99002c9
SHA512afc571f032dc3b24191b522bd4461c888e535b4540f18084b789dd8452d0755b44a78a7793e7fffaee81255e655c219e9f8ef8549bbac4912d6dab1b1d7a6ba5
-
Filesize
29B
MD55b7623eb82c461c5e1d65c960e25c5b3
SHA1a46af4020f8201e0f760902a52152ddff2ef6765
SHA25693928f28198def4da8b88cd3f32670da7cb560dcaa220201aca579a5cee3ebee
SHA51282770df84daf0d40239ca6866e1643c98b7aa2bb9c584363fa1190f5fb55e162df871b16982dbaf00062ae814c0c8c351fe50d5d251dc063bfe5f94ac858e599
-
Filesize
54B
MD535205e1c6e62566f8364cc29d8509b04
SHA1382daaa5fbc99d5bffbdc863901e8f940795e356
SHA25653064f74da279bda3e1209840514dd4129084f4c052e8129ad45359ca0a022d2
SHA5122058dd131a18dd8132ae2f0766605db6368c3fce6e94264b5f4d44ccdaa717c037629db317101de8b87804c81e9b192c213d849c530d8bbbadb8581e23bd4814