Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
11s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28/09/2024, 20:00
General
-
Target
Start.exe
-
Size
202KB
-
MD5
775d903c7d0676e880682b2f78c0c528
-
SHA1
44b0fb55ceb07e6e707824c9c9964d36bd7ebe76
-
SHA256
631059c3094723949f4937b3326261cb60bbf62adeac331afc7caedcd3a74dfe
-
SHA512
c14ba4329d9ef6977210529f4657ff273cb9a023974df990293daee2b191bd8d713d96eda6a41b8d70da52ec91692f64dc327d9ddb8211c2e66ff534ea880342
-
SSDEEP
3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HITaMf8us+kVoSliWaR4FFMYcdD:gLV6Bta6dtJmakIM5sfZs++iWFHcdrP
Malware Config
Extracted
nanocore
1.2.2.0
103.202.55.183:1604
5b5911ea-ea90-4e20-ad14-1eb49fa38e28
-
activate_away_mode
true
-
backup_connection_host
103.202.55.183
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-07-03T23:31:21.656735436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
hax
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5b5911ea-ea90-4e20-ad14-1eb49fa38e28
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
103.202.55.183
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" Start.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Start.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DPI Service\dpisvc.exe Start.exe File created C:\Program Files (x86)\DPI Service\dpisvc.exe Start.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Start.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4724 taskmgr.exe 4724 taskmgr.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4780 Start.exe 4780 Start.exe 4780 Start.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4780 Start.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4780 Start.exe Token: SeDebugPrivilege 4724 taskmgr.exe Token: SeSystemProfilePrivilege 4724 taskmgr.exe Token: SeCreateGlobalPrivilege 4724 taskmgr.exe Token: 33 4724 taskmgr.exe Token: SeIncBasePriorityPrivilege 4724 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Start.exe"C:\Users\Admin\AppData\Local\Temp\Start.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5775d903c7d0676e880682b2f78c0c528
SHA144b0fb55ceb07e6e707824c9c9964d36bd7ebe76
SHA256631059c3094723949f4937b3326261cb60bbf62adeac331afc7caedcd3a74dfe
SHA512c14ba4329d9ef6977210529f4657ff273cb9a023974df990293daee2b191bd8d713d96eda6a41b8d70da52ec91692f64dc327d9ddb8211c2e66ff534ea880342