Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240802-en
General
-
Target
Client.exe
-
Size
547KB
-
MD5
b87946891aa5a79edc4346f9ca654b9e
-
SHA1
e28cd91dea39a78b05aa9886dd1972956f9b85e7
-
SHA256
ec4d601c78d79d40972f3e172344d9f32eadd3fe902cc55d6f297f32a40bf3c6
-
SHA512
f7054d2a8aa4d4d2a20d15f30690474976e25a238a4bac5b1444c01d38d11bd8e763d53d61173e3f5b792b60b5422b941e59d07ce19e7292e407f696854f234e
-
SSDEEP
12288:UUJ9gdCrpfmRCbXNS46o7ik1JyMcbhMi07P:UvCrpfuCbNCyHZV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\Java\\Client.exe" Client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regediter = "C:\\Users\\Admin\\AppData\\Local\\Sub\\WatchDog.exe" Client.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Java Client.exe File created C:\Program Files\Java\Client.exe Client.exe File opened for modification C:\Program Files\Java\Client.exe Client.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4588 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4456 Client.exe 4456 Client.exe 4456 Client.exe 4456 Client.exe 4456 Client.exe 4456 Client.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4456 Client.exe Token: SeDebugPrivilege 4544 taskmgr.exe Token: SeSystemProfilePrivilege 4544 taskmgr.exe Token: SeCreateGlobalPrivilege 4544 taskmgr.exe Token: 33 4544 taskmgr.exe Token: SeIncBasePriorityPrivilege 4544 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe 4544 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4928 4456 Client.exe 96 PID 4456 wrote to memory of 4928 4456 Client.exe 96 PID 4928 wrote to memory of 4588 4928 CMD.exe 98 PID 4928 wrote to memory of 4588 4928 CMD.exe 98 PID 4456 wrote to memory of 1032 4456 Client.exe 99 PID 4456 wrote to memory of 1032 4456 Client.exe 99 PID 1032 wrote to memory of 2604 1032 CMD.exe 101 PID 1032 wrote to memory of 2604 1032 CMD.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Java Updater" /tr "C:\Program Files\Java\Client.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Java Updater" /tr "C:\Program Files\Java\Client.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4588
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "JavaTaskmgr" /tr "C:\Program Files\Java\Client.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "JavaTaskmgr" /tr "C:\Program Files\Java\Client.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5b87946891aa5a79edc4346f9ca654b9e
SHA1e28cd91dea39a78b05aa9886dd1972956f9b85e7
SHA256ec4d601c78d79d40972f3e172344d9f32eadd3fe902cc55d6f297f32a40bf3c6
SHA512f7054d2a8aa4d4d2a20d15f30690474976e25a238a4bac5b1444c01d38d11bd8e763d53d61173e3f5b792b60b5422b941e59d07ce19e7292e407f696854f234e