Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 16:13
Static task
static1
Behavioral task
behavioral1
Sample
tg_proX64.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
tg_proX64.exe
Resource
win10v2004-20240802-en
General
-
Target
tg_proX64.exe
-
Size
70.9MB
-
MD5
a15fe81c0d0661a089e2d3d78213d52c
-
SHA1
049d9028f66a46d2f5127c1ce44feac95f6581a7
-
SHA256
d51d112f071390cb95010575572bdf3e0ad0a25b6b4bf83b41d6c59086cfedf7
-
SHA512
9bb25d15214ee6d897293bdd8c6e88deb2f8a2d2cf8d74abd4855c56049b09af41016d2d8f827fe072be36e3a1d6e2b19e4b36adc839e3a43e306b688cfcbf47
-
SSDEEP
1572864:T8VnWS8+lvp0kdu8RojQ5qATl2iUUeC/oIH4ecuiAxBtg:T8JyM6XjomiReMoIH4eoga
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2776 created 872 2776 svcorenos.exe 104 -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\kernelquick.sys svcorenos.exe File created C:\Windows\system32\drivers\kernelquick.sys svcorenos.exe File created C:\Windows\system32\drivers\kernelquick.sys svcorenos.exe File opened for modification C:\Windows\system32\drivers\kernelquick.sys svcorenos.exe -
Executes dropped EXE 9 IoCs
pid Process 2404 tg_proX64.tmp 2776 svcorenos.exe 4972 svcorenos.exe 3872 svcorenos.exe 4440 svcorenos.exe 4500 svcorenos.exe 996 svcorenos.exe 1244 svcorenos.exe 3936 svdocbox.exe -
Loads dropped DLL 13 IoCs
pid Process 2776 svcorenos.exe 2776 svcorenos.exe 4972 svcorenos.exe 4972 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 1244 svcorenos.exe 1244 svcorenos.exe 3936 svdocbox.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.215.78.57 Destination IP 103.215.78.57 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: svcorenos.exe File opened (read-only) \??\Z: svcorenos.exe File opened (read-only) \??\B: svcorenos.exe File opened (read-only) \??\G: svcorenos.exe File opened (read-only) \??\Y: svcorenos.exe File opened (read-only) \??\P: svcorenos.exe File opened (read-only) \??\T: svcorenos.exe File opened (read-only) \??\U: svcorenos.exe File opened (read-only) \??\W: svcorenos.exe File opened (read-only) \??\X: svcorenos.exe File opened (read-only) \??\I: svcorenos.exe File opened (read-only) \??\M: svcorenos.exe File opened (read-only) \??\O: svcorenos.exe File opened (read-only) \??\L: svcorenos.exe File opened (read-only) \??\N: svcorenos.exe File opened (read-only) \??\Q: svcorenos.exe File opened (read-only) \??\R: svcorenos.exe File opened (read-only) \??\S: svcorenos.exe File opened (read-only) \??\E: svcorenos.exe File opened (read-only) \??\H: svcorenos.exe File opened (read-only) \??\K: svcorenos.exe File opened (read-only) \??\V: svcorenos.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\svcorenos\app-0.82.1\zlibwapi.dll svcorenos.exe File created C:\Windows\svcorenos\app-0.82.1\libcurl.dll svcorenos.exe File opened for modification C:\Windows\svcorenos\app-0.82.1\libcurl.dll svcorenos.exe File opened for modification C:\Windows\svcorenos\app-0.82.1\zlibwapi.dll svcorenos.exe File created C:\Windows\svcorenos\svcorenos.exe svcorenos.exe File opened for modification C:\Windows\svcorenos\svcorenos.exe svcorenos.exe File created C:\Windows\svcorenos\app-0.82.1\svcorenos.exe svcorenos.exe File opened for modification C:\Windows\svcorenos\app-0.82.1\svcorenos.exe svcorenos.exe File created C:\Windows\svcorenos\app-0.82.1\checkUpdater.cfg svcorenos.exe File opened for modification C:\Windows\svcorenos\app-0.82.1\checkUpdater.cfg svcorenos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tg_proX64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tg_proX64.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcorenos.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\3272b228006e\a7349afe5b7 svcorenos.exe Key created \REGISTRY\USER\.DEFAULT\Software svcorenos.exe Key created \REGISTRY\USER\.DEFAULT\Software\3272b228006e svcorenos.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\3272b228006e\a7349afe5b7\592d10fa830fcd45891e3c1 = "1" svcorenos.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2404 tg_proX64.tmp 2404 tg_proX64.tmp 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 3872 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 4500 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe 996 svcorenos.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2404 tg_proX64.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 996 svcorenos.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4904 wrote to memory of 2404 4904 tg_proX64.exe 89 PID 4904 wrote to memory of 2404 4904 tg_proX64.exe 89 PID 4904 wrote to memory of 2404 4904 tg_proX64.exe 89 PID 2404 wrote to memory of 2776 2404 tg_proX64.tmp 102 PID 2404 wrote to memory of 2776 2404 tg_proX64.tmp 102 PID 2776 wrote to memory of 4972 2776 svcorenos.exe 105 PID 2776 wrote to memory of 4972 2776 svcorenos.exe 105 PID 4712 wrote to memory of 3872 4712 cmd.exe 107 PID 4712 wrote to memory of 3872 4712 cmd.exe 107 PID 4440 wrote to memory of 4500 4440 svcorenos.exe 109 PID 4440 wrote to memory of 4500 4440 svcorenos.exe 109 PID 4500 wrote to memory of 996 4500 svcorenos.exe 110 PID 4500 wrote to memory of 996 4500 svcorenos.exe 110 PID 3872 wrote to memory of 1244 3872 svcorenos.exe 111 PID 3872 wrote to memory of 1244 3872 svcorenos.exe 111 PID 996 wrote to memory of 3936 996 svcorenos.exe 112 PID 996 wrote to memory of 3936 996 svcorenos.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\is-KC8KJ.tmp\tg_proX64.tmp"C:\Users\Admin\AppData\Local\Temp\is-KC8KJ.tmp\tg_proX64.tmp" /SL5="$C01BE,73296718,797696,C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe"C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\newdev.exeC:\Windows\system32\newdev.exe4⤵PID:32
-
-
C:\Windows\system32\computerdefaults.exeC:\Windows\system32\computerdefaults.exe4⤵PID:872
-
C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exeC:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe bf96c055b 2776 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4972
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:81⤵PID:2324
-
C:\Windows\system32\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe" "184c8a2bf6" 4972 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe"C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe" "184c8a2bf6" 4972 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\svcorenos\app-0.82.1\svcorenos.exeC:\Windows\svcorenos\app-0.82.1\svcorenos.exe 6cd6db2a6 4972 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244
-
-
-
C:\Windows\svcorenos\svcorenos.exe"C:\Windows\svcorenos\svcorenos.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\svcorenos\app-0.82.1\svcorenos.exe"C:\Windows\svcorenos\app-0.82.1\svcorenos.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\svcorenos\app-0.82.1\svcorenos.exe"C:\Windows\svcorenos\app-0.82.1\svcorenos.exe" "cf673c40a9"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\svdocbox.exeC:\Users\Admin\AppData\Local\Temp\svdocbox.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3936
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18.4MB
MD53de39b89ac8560ca121fec31ef952bc4
SHA1771ba8254037708a91d714689d08eeaa64eb6570
SHA2562fee036810339596c2b690977bcec0c1d9fe2079f1260de80b18057eb35f0ce2
SHA51292d38671ec1f1a49d256d085f3ee0155615c8b86a6f5ee4a6d0da8772db2b893edf769d2017fdc21627773133da2c4255ded2b1b63b7d1e54745b57ce6cb2f4f
-
Filesize
556KB
MD56b2548cc404f3dd55634efa291fa98d0
SHA1a076a60d99d70fd8aa7664a2534445a502febe27
SHA2567ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d
SHA51214068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009
-
Filesize
2.2MB
MD56cf29dbf1fa710cccf6ba1c4c01f6b85
SHA1a1debdb076c8c655e3d78c6ae82f1beba386a2ba
SHA256f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b
SHA512ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5
-
Filesize
6.2MB
MD59c34ad9143eae99e157961a41f43b9d1
SHA163d1d2798eccafc5ba6e308d1200eef620d65a8d
SHA2561f9dc739a9e45fe5b8fa43bfea41c3d45212df95f21b952c7f969dbc0b57d389
SHA5120229041ae0b8ebc44d313cc81a5d12a6e4d55123eec346652f9bf09df60537194cb34d0f2f39a7ecafd18e8678016b924d8f686d46a73da5f64ac00c7ae165c0
-
Filesize
4.5MB
MD5e28c56ff824f4c3b4b2a689d108d91ed
SHA1ee0fc0b1dbb8fe7af50571de7b285aad0ac06eb5
SHA2565fe95b031b46b81dc4aa6915d5ea81a76385df78ba36dc305f5921c3d0475f9c
SHA512d1a94047599e977389640cc8d5edff6fb3eae1df9be25b7a2e5cc479827903cc1018d3537e7b0594551a460ca00542a4384c129a9e2c3d17875be19fcfcec6b8
-
Filesize
3.2MB
MD53f8d4835277b10465e0747b3d1c61fc7
SHA190561bc4041a447dff572401666680975943661d
SHA2567b207e9fc0e6e7410b61c79534f3675945acd163e861a63649b7c3ad331c7ca4
SHA512eea8e64f5a2c88c237b70a23d1025d2740dc2898ae6d77e63f898748273ff72d0c5564744729faec1d544ae10af2f5cab84643ae9bcd87ca7e1df1769feacdcc
-
Filesize
73KB
MD512538abf1a72475e6b7d0cd05cbb2359
SHA19f51a214b112a28dbd81cf03aa160560e2a3127c
SHA256ad939835b9b87aed1c31ea3943cf42355b426d24faadae6e534d8e0a385b8b0a
SHA51218581feb947bcb2195229b34da61040a988d5c7aa427e3217ffa7082c195b483bdd174a441b8dc103dd0f6605a275a707796fd08f589389fce7c431d1ba829b5
-
Filesize
1KB
MD5688b02f0f23d8f11033cc46300604be5
SHA19a93d3c3c8a788b078191c23df194492208b0f20
SHA256c09108c4d83244ef425335d1c305c5e2e74e1715f2517b80251f1e16ee251807
SHA512f12198fdebe726827d1c166663539762062bb5dbf07668ac1143d4f539fe3a3c48b39755eb16c78008ce5f279a8eaf7bd6a5aa4c6df992a595a47c4f7f640572
-
Filesize
4.2MB
MD502b8105f3297ecb7e4dd0e94f83df4b6
SHA187673038d3832cdc2f574daf06135f4bb41170eb
SHA256ffaa1755b4256cd210eae7f0e97fc27be76e1cc0c87da29c08b5be0d7c7815cf
SHA51221e1ce524692c2fc1660e726f85d296ac8dbb2b4291d7e115b3f37590761d4b79cc8f0ae33559d7e684f41a2ddcd7a4951c3126fbf67f68a5c31611027137316
-
Filesize
691KB
MD5d0cd80eda106fc87730d2034e8c2d632
SHA14e6a0454867097a1966c9d9bd1af366cfe640baf
SHA256d53225a068e183b7c2bc3b48766551547ab0a679cfb9e2ddfd1602e041517fcb
SHA512fe362285e4ee767876156cb63859d41ff06cef04153f67c01bd29b082966216171cf1683f6bccf78faf7c3b380ffc5e951ee24f856edfee2edada2e6301122e5