Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Resource
win10v2004-20240802-en
General
-
Target
ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
-
Size
1.0MB
-
MD5
9d768567d44193f17d840bcb4e4fa340
-
SHA1
c9ec0494e9d5e8baf2eee2fa4edb82b6de314486
-
SHA256
ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cf
-
SHA512
7368c3273678f6b48eff356cc369152d688011770cb98faecca9a8e3c9eeecdf403393b1ea2e776296609febd01cdc9d99515c0544dd186176a791930ad403a0
-
SSDEEP
24576:W/GRzatThRiVNbLGJv6plFh9iGa2oMYMgdsHG:F8TjFJspDLoVMgdk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation @AE852E.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WdExt.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation module_launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation kb50145.exe -
Executes dropped EXE 6 IoCs
pid Process 3916 @AE852E.tmp.exe 2124 ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe 1092 WdExt.exe 4536 module_launcher.exe 2748 kb50145.exe 3720 injector_s.exe -
Loads dropped DLL 2 IoCs
pid Process 3916 @AE852E.tmp.exe 1092 WdExt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\"" module_launcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language injector_s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @AE852E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WdExt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language module_launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kb50145.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3916 @AE852E.tmp.exe 3916 @AE852E.tmp.exe 1092 WdExt.exe 1092 WdExt.exe 4536 module_launcher.exe 4536 module_launcher.exe 4536 module_launcher.exe 4536 module_launcher.exe 4536 module_launcher.exe 4536 module_launcher.exe 4536 module_launcher.exe 4536 module_launcher.exe 3720 injector_s.exe 3720 injector_s.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3720 injector_s.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1784 wrote to memory of 3676 1784 ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe 82 PID 1784 wrote to memory of 3676 1784 ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe 82 PID 1784 wrote to memory of 3676 1784 ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe 82 PID 1784 wrote to memory of 3676 1784 ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe 82 PID 1784 wrote to memory of 3676 1784 ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe 82 PID 3676 wrote to memory of 3916 3676 explorer.exe 83 PID 3676 wrote to memory of 3916 3676 explorer.exe 83 PID 3676 wrote to memory of 3916 3676 explorer.exe 83 PID 3676 wrote to memory of 2124 3676 explorer.exe 84 PID 3676 wrote to memory of 2124 3676 explorer.exe 84 PID 3676 wrote to memory of 2124 3676 explorer.exe 84 PID 3916 wrote to memory of 2920 3916 @AE852E.tmp.exe 85 PID 3916 wrote to memory of 2920 3916 @AE852E.tmp.exe 85 PID 3916 wrote to memory of 2920 3916 @AE852E.tmp.exe 85 PID 3916 wrote to memory of 3168 3916 @AE852E.tmp.exe 86 PID 3916 wrote to memory of 3168 3916 @AE852E.tmp.exe 86 PID 3916 wrote to memory of 3168 3916 @AE852E.tmp.exe 86 PID 2920 wrote to memory of 1092 2920 cmd.exe 89 PID 2920 wrote to memory of 1092 2920 cmd.exe 89 PID 2920 wrote to memory of 1092 2920 cmd.exe 89 PID 1092 wrote to memory of 2360 1092 WdExt.exe 90 PID 1092 wrote to memory of 2360 1092 WdExt.exe 90 PID 1092 wrote to memory of 2360 1092 WdExt.exe 90 PID 2360 wrote to memory of 4536 2360 cmd.exe 92 PID 2360 wrote to memory of 4536 2360 cmd.exe 92 PID 2360 wrote to memory of 4536 2360 cmd.exe 92 PID 4536 wrote to memory of 3368 4536 module_launcher.exe 93 PID 4536 wrote to memory of 3368 4536 module_launcher.exe 93 PID 4536 wrote to memory of 3368 4536 module_launcher.exe 93 PID 3368 wrote to memory of 2748 3368 cmd.exe 95 PID 3368 wrote to memory of 2748 3368 cmd.exe 95 PID 3368 wrote to memory of 2748 3368 cmd.exe 95 PID 2748 wrote to memory of 3720 2748 kb50145.exe 96 PID 2748 wrote to memory of 3720 2748 kb50145.exe 96 PID 2748 wrote to memory of 3720 2748 kb50145.exe 96 PID 2748 wrote to memory of 2460 2748 kb50145.exe 97 PID 2748 wrote to memory of 2460 2748 kb50145.exe 97 PID 2748 wrote to memory of 2460 2748 kb50145.exe 97 PID 3720 wrote to memory of 3472 3720 injector_s.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe"C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\@AE852E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AE852E.tmp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe"C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 10928⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Roaming\injector_s.exe"C:\Users\Admin\AppData\Roaming\injector_s.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""11⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe"C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
951KB
MD5543a33df795c7264f370205682d88621
SHA14c187681f762b377611cc16027f766ff88227bdd
SHA2560b5edd769c5c81392a96295a72bd635c1c5df5854726b35813bcf136793605e9
SHA5128956a4a8f2169aa8c90c297341599c8b2b5afdbef77d272ad1cdffecc1ab84bed0ba617a3561e6e6b5c6ccfcb9f4da205e7e937e4bb81b8bda1a057b24f29ef6
-
Filesize
44B
MD5804bb96081db73d249b1d21573d8ea59
SHA1abf76e8d0702ce245bb7afbb513cdcc8bac6ab35
SHA256b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5
SHA512d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c
-
C:\Users\Admin\AppData\Local\Temp\ba7ef4bd5c5f0edb53a8241454de2d471ef198b1dcc4f9b237a2faf36f2b63cfN.exe
Filesize100KB
MD5d93f66f49305dd28437838e8648951a6
SHA13e8b01b7f8651ae1729c2e96e1c6060e384b1b42
SHA256f921b620a25de7032177c6a62e0b8221d732040e44565d16ffb75948f312be3d
SHA5126336521bf2bd6a109199607fa730bd8108afef39e88543f5105bb756951a785d21d4dc603a3b97bb65f2e381c7bb19695da1464da6904f97e0b5954186fbce24
-
Filesize
619KB
MD5713537a3f79d36f0eaeaf8e8fba96322
SHA1f03481707b940065e41ce008eda643eea78ffe40
SHA2565864a4bfc200c2d9aadfa8c9540da1af036c2c712309da9d88fa901e9582b950
SHA5120bf36c904e863d79d57b83e6e54371056b2fc0ddfa89b806519fbeb91c2ac4f9688d5c7d2619a496320d28cd008313fff61f92612dfe69c00d093917366189e3
-
Filesize
121KB
MD5864484e1394eaaa2e9a8a63f01c97be0
SHA1d02a92d866232f22a8477ab99e6d27354fa310f2
SHA256e1a25be30164e6aca9bf97454be217f2b49e6f65fa4d3ac710637f6ef8a213a0
SHA51216919202ee3626ab829070dbe2f43bb5caa9bbaebf63f5de3fb9930825f71edd074855cac6349241705d6bf979203e0eb7f9df2c25d2bfab95ee210ac350568c
-
Filesize
131KB
MD5ebc999a1ded4f76d648431350fe423bb
SHA1b1a4abcb00364ede9185209d41e7e2532cd559a0
SHA256ba6a7655e3860d01201ffbce06398dff71fd97acff99e95ac8cd2a3e3161d1c0
SHA512aba5a33667e01857650f74ea5dd461c11a0ff121c22e08ab058b950b11b315119b00acaf0aaf7401a668a4131daf73d07717002c6dd55570a79ad5ba526e5ce4
-
Filesize
99KB
MD588c497ace0db30cc47fc259b7806ad8f
SHA1a486cedff64cb60e62ffbefd25ee5df79e6a9714
SHA2564a8ea33966592b337d31802f55ea7f901caec037b5b1bf18a9e2b6b044915781
SHA5121748700a158b8f999658eb532e5d4ed80c844b21c47d3bf0d8682de22be4b47a424350196ee3d0538d71a67aca906b781282eb3192031e93e834f417b8134346
-
Filesize
172KB
MD5b00a14a9f3b2c8ac19ada6992517ff77
SHA18469aa684cf86fcf627c828d40a9dc9688187173
SHA256015caba690febdd5403ad86a04bb9763db7408a3b3f0be85f9c364580dac4649
SHA512fea53117dc2efc23af186fae9ea8abc6ed15a516a820d62a5d312525447b0495fc0d81acf540017422427ea45754298fb7e334c9db8c47d49c4ce741f85bbf2c
-
Filesize
76KB
MD5ccf05ce9abe252cc7d68b2ff8ab6cfb7
SHA18739e9e007b62d9434bd5d06d5d312d255496a00
SHA256a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f
SHA512e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b
-
Filesize
953KB
MD505fb43fc3cc069eed454ffe75a009294
SHA1e63ad9495a572207033d757237e0f45ea79e71b6
SHA256c5b3f8a220e437e6ff0ddbd9b9334f53a4354b31bf9cfbd39fc73062a20b2762
SHA51266ad9a67d437d90e11e73a27f0695f2519cb7d63b563e13c3ad3b47821662244a6643c8807a0397e3433e996eebe35dd57ab2f08e8cffe44aa22a037107725bf
-
Filesize
76KB
MD58bf335774fbb62bbe1de03921dfe047a
SHA124fc750a20aebb52f23e84264d201f458106d95d
SHA256048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7
SHA512aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea
-
Filesize
172KB
MD56ff3155e619e2c601db536c88741e094
SHA1c71bfc0a9b11db33c801035e06d31a03e2901dd0
SHA256b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1
SHA5128a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc
-
Filesize
105B
MD5902a1098f800859502aec4eac3026495
SHA1a6b209e9aa15087670e830af5de8179b31abc897
SHA256ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd
SHA512cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77
-
Filesize
122B
MD5c11744e676cdbbcac5208d663ff47918
SHA195392a131a2028425ef305e3125bb2c8a62c5e3a
SHA25642a7e9d66d53d01df0f548f0c1a2ec53d6ad323ddd61416203545c7335964ef3
SHA51212e97e3eae6f158d43d11c029854963b60675af6116030bcb56f526474ee7c970b8d9d9d82836690b8fdc256245d61b9863b133ee019073450b93e4bd5bdc75a
-
Filesize
196B
MD5f3a225281d939236d0a2608c922ddd7a
SHA186779f176aef1cbf5d0201faae425fd23a0dc48e
SHA256db6567e4ad78ff00bb4b0cdb9a8e9fbda8d3926e6d5344a2b5417cf0e4cdb3b4
SHA5127b12235db9f55d7f66eefdd05b57a5d758351017b87b1da3b23be9dbc884e28bc554f321af268a5b28090ef44a7a46975a263d60a4d1dc39f120363de22ba84c
-
Filesize
107B
MD585eb3280f9675f88d00040cbea92277f
SHA12fece0a30b2153b4a9fee72fe5a637dee1967a2f
SHA256bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b
SHA5122641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298
-
Filesize
388KB
MD58d7db101a7211fe3309dc4dc8cf2dd0a
SHA16c2781eadf53b3742d16dab2f164baf813f7ac85
SHA25693db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA5128b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83
-
Filesize
188KB
MD51d1491e1759c1e39bf99a5df90311db3
SHA18bd6faed091bb00f879ef379715461130493e97f
SHA25622c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778
SHA512ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e