Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
b042426e8a30b6ecf6e44f2b21138560N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b042426e8a30b6ecf6e44f2b21138560N.exe
Resource
win10v2004-20240910-en
General
-
Target
b042426e8a30b6ecf6e44f2b21138560N.exe
-
Size
82KB
-
MD5
b042426e8a30b6ecf6e44f2b21138560
-
SHA1
99f9e5a21b4719cb9b4627897d398fe083e8cade
-
SHA256
be58a027ae8df7933a92acd5190c1e2775c3e4137e126fd1456b01c0b4a6f069
-
SHA512
dc86c047cd17d27832cdbf2ded7f65fa93047622d9b87ace822fd9d5dc2586aed086f1b67f23708d4336b955df9d87b42eb52dfe4682432d3b8730a98cfca4e5
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOzr9/q9:GhfxHNIreQm+Hi8r9/q9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1420 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b042426e8a30b6ecf6e44f2b21138560N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b042426e8a30b6ecf6e44f2b21138560N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b042426e8a30b6ecf6e44f2b21138560N.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe b042426e8a30b6ecf6e44f2b21138560N.exe File created C:\Windows\SysWOW64\¢«.exe b042426e8a30b6ecf6e44f2b21138560N.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe b042426e8a30b6ecf6e44f2b21138560N.exe File created C:\Windows\SysWOW64\notepad¢¬.exe b042426e8a30b6ecf6e44f2b21138560N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe b042426e8a30b6ecf6e44f2b21138560N.exe File created C:\Windows\system\rundll32.exe b042426e8a30b6ecf6e44f2b21138560N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b042426e8a30b6ecf6e44f2b21138560N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv b042426e8a30b6ecf6e44f2b21138560N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1726336811" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b042426e8a30b6ecf6e44f2b21138560N.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command b042426e8a30b6ecf6e44f2b21138560N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" b042426e8a30b6ecf6e44f2b21138560N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b042426e8a30b6ecf6e44f2b21138560N.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b042426e8a30b6ecf6e44f2b21138560N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" b042426e8a30b6ecf6e44f2b21138560N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1726336811" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 3240 b042426e8a30b6ecf6e44f2b21138560N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1420 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 1420 rundll32.exe 1420 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3240 wrote to memory of 1420 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 86 PID 3240 wrote to memory of 1420 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 86 PID 3240 wrote to memory of 1420 3240 b042426e8a30b6ecf6e44f2b21138560N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b042426e8a30b6ecf6e44f2b21138560N.exe"C:\Users\Admin\AppData\Local\Temp\b042426e8a30b6ecf6e44f2b21138560N.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5104659bee46bf00cdcab2f9040decb73
SHA12f1160336c42bc2d8ec0802c4acdfe7c0a8b26ad
SHA256651abf6b3dc706c2fbb024820a490aedc51c99e9c5b1873b3ecefa772a446474
SHA512b0a9a0de9d7741c748b30716011f297b19af690033712682bd92def23083700d2cc8e25768c37bc688f38fbe6b4da11c9534b8160b63048ecfd3640c7d41c008
-
Filesize
78KB
MD500cc93cfd2d4bc8cb6e421a437e390c6
SHA1069bfd09b683ab680ed7d5a06f86d31a02df0291
SHA25639874567613463d60bb7182ddc6661deeb4233cbcd9e9ef7f1ad661318cd5433
SHA51287e49ab597e4698ec704e0666f378453eb155e0e6b19335ae61d815d0b825e43508ba25653d8751fbe27e75465176682c8dba4add559d0aeb4be5385bcddf7b6