Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
d0f7e1b5196772528ce410b695e2daa0N.exe
Resource
win7-20240903-en
General
-
Target
d0f7e1b5196772528ce410b695e2daa0N.exe
-
Size
133KB
-
MD5
d0f7e1b5196772528ce410b695e2daa0
-
SHA1
80380bfc187b7327a99a605a44fc1d4a12984782
-
SHA256
74be29a741738584dee133775ca5113c9e5a47ae604c1532e27b66890006cd05
-
SHA512
dcb0687ceaef8d757c3c0217b97337aea9b725b1f1531e3dd216d76e16aabbaaf9bc0f681968645c85cf0ed29fde0a5139f668b82d1fd4139c62f732d2af49f9
-
SSDEEP
3072:sEboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:rBzsgbpvnTcyOPsoS6nnn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2784 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1452 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 2784 svchost.exe 1452 KVEIF.jpg 4272 svchost.exe -
resource yara_rule behavioral2/memory/3196-3-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-5-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-13-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-21-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-25-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-33-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-32-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-31-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-29-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-28-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-23-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-19-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-17-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-15-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-11-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-9-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-7-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/3196-2-0x00000000022C0000-0x0000000002315000-memory.dmp upx behavioral2/memory/2784-106-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-114-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-112-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-110-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-108-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-104-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-103-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-126-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-130-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-128-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-124-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-120-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-118-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-116-0x00000000029E0000-0x0000000002A35000-memory.dmp upx behavioral2/memory/2784-122-0x00000000029E0000-0x0000000002A35000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll d0f7e1b5196772528ce410b695e2daa0N.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll d0f7e1b5196772528ce410b695e2daa0N.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3196 set thread context of 2784 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 85 PID 1452 set thread context of 4272 1452 KVEIF.jpg 89 -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIF.jpg d0f7e1b5196772528ce410b695e2daa0N.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFmain.ini d0f7e1b5196772528ce410b695e2daa0N.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFmain.ini d0f7e1b5196772528ce410b695e2daa0N.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\FKC.WYA d0f7e1b5196772528ce410b695e2daa0N.exe File created C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\$$.tmp svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIF.jpg d0f7e1b5196772528ce410b695e2daa0N.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFs1.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\1D11C18123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\1D11C18123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFs5.ini KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\ok.txt d0f7e1b5196772528ce410b695e2daa0N.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFss1.ini d0f7e1b5196772528ce410b695e2daa0N.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\1D11C18123.IMD KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFs5.ini svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\web\606C646364636479.tmp d0f7e1b5196772528ce410b695e2daa0N.exe File created C:\Windows\web\606C646364636479.tmp d0f7e1b5196772528ce410b695e2daa0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0f7e1b5196772528ce410b695e2daa0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KVEIF.jpg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 2784 svchost.exe 1452 KVEIF.jpg 1452 KVEIF.jpg 1452 KVEIF.jpg 1452 KVEIF.jpg 1452 KVEIF.jpg 1452 KVEIF.jpg -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2784 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3196 d0f7e1b5196772528ce410b695e2daa0N.exe Token: SeDebugPrivilege 3196 d0f7e1b5196772528ce410b695e2daa0N.exe Token: SeDebugPrivilege 3196 d0f7e1b5196772528ce410b695e2daa0N.exe Token: SeDebugPrivilege 3196 d0f7e1b5196772528ce410b695e2daa0N.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 1452 KVEIF.jpg Token: SeDebugPrivilege 1452 KVEIF.jpg Token: SeDebugPrivilege 1452 KVEIF.jpg Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 4272 svchost.exe Token: SeDebugPrivilege 2784 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3196 wrote to memory of 2784 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 85 PID 3196 wrote to memory of 2784 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 85 PID 3196 wrote to memory of 2784 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 85 PID 3196 wrote to memory of 2784 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 85 PID 3196 wrote to memory of 2784 3196 d0f7e1b5196772528ce410b695e2daa0N.exe 85 PID 3680 wrote to memory of 1452 3680 cmd.exe 88 PID 3680 wrote to memory of 1452 3680 cmd.exe 88 PID 3680 wrote to memory of 1452 3680 cmd.exe 88 PID 1452 wrote to memory of 4272 1452 KVEIF.jpg 89 PID 1452 wrote to memory of 4272 1452 KVEIF.jpg 89 PID 1452 wrote to memory of 4272 1452 KVEIF.jpg 89 PID 1452 wrote to memory of 4272 1452 KVEIF.jpg 89 PID 1452 wrote to memory of 4272 1452 KVEIF.jpg 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0f7e1b5196772528ce410b695e2daa0N.exe"C:\Users\Admin\AppData\Local\Temp\d0f7e1b5196772528ce410b695e2daa0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5cfa91e43c6c7ffe348cf4c4aaf060508
SHA14cbd22e0a20b7cbfe4871baae2f28bae25736452
SHA256994b05ddc3f92e8bb9e7ccea170ba399614949872a568ecc867fa36358f24b7f
SHA512282f657b2f01a5b5800d6054a3981411e0afab08589020e0bc851ed0a384c0476fcce3c8caa9ad540ac2b123b3d4cb134297f8fe9ccdabddefe62fe31117b8f3
-
Filesize
22B
MD5930acf89790980bda3854f8bd8dc44d6
SHA14033478772bd5b31cdbf85187ad30eb03a560f33
SHA25634158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6
SHA51287752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8
-
Filesize
73B
MD51fa8a1e774fda04c1037b5ff16fbaa72
SHA12d2e242030aefd54509567f3a6cc97b5a9004312
SHA25643290fb5fbe00e8b82a356482ff5bb775ec82d157892dc8f0d516a7e841d4f7c
SHA51230cff80ce20551180fe29f0b1a3dde623130b07ab8aa10fcd0ee47398b1e5a6b50fd0d2a92b0d933eb75e2c706c54dc570f2e5f1b39c3cae7c93df809a779159
-
Filesize
133KB
MD51819ff4fcc22f30d1a78dfb35b3e3736
SHA1aabf33f449eb4c7c36c50f1290b3f06fb383f5e6
SHA25635c0e782c488495cd2af4b4e020b9fd7b1ab248626d8d11a8df35cc96c8574d1
SHA512ad91c8c084e49f5e06be854e048aa1c1d17abdbbcf9f171dd735b368672b5f8436b5f6a71d9f7ac34653925143ed9d742ff4cefd456b932a569aa578ad5d8865
-
Filesize
133KB
MD582913c79a27182155775509849a7247a
SHA16ff0c6a02b6f15e46b90dfe24d2983f78314eecf
SHA256e5a252efab72b6b93512b46b5d6d31b1f05a8b12ae64a76ea0014a8633044db6
SHA512d365439df87f9e376df15287898151e7b40d993b52c9c42d814c8122ef0ac9f58f10f310563b23731ff781488a5079f3fc248c6ef015654d5ad3d304a8e214ca
-
Filesize
630B
MD58c2efd946e968edaa99f131d671b1934
SHA1bb06de800844792da9945bced8a8cf64dcc4b8cd
SHA256c74fe545a77cbdab491cd72934d22ac5bd37154e65e05fa8de7f2233cb334981
SHA512180e616dc505ec5664c718760b6a9da3bc2ce01b2d63a0af8e5a5eab0350720710ce3aae4f83f5946b97cd8e15d5887fdbde8042cf8636adcdb900036939e243
-
Filesize
1KB
MD5c590414af5e2f2d94467aa1e27a920aa
SHA19ed94beef7f1d1f1766c1b789f5a4f865ecb5aef
SHA256bcedc16c4d49b8289044b100ed150b6b0b73cb2889255cfecdafca7e4dfc82bd
SHA5129fa0fa16d4c3f8f12ebd01d5581958cf9ad1db7424d5e252f283ba083e22113a8ca5d4d38ef1d58efe4f622f8302e22b80461328587c38337acec63c09d63590
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202