Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
Resource
win10v2004-20240802-en
General
-
Target
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
-
Size
72KB
-
MD5
1e4d9acc849b60a5088b65d115df1420
-
SHA1
6a3eee5fba5f91d92e1c3a91a300706dfa16574c
-
SHA256
5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644
-
SHA512
4685a70343767dedc29d61d893304093c1e1093eaf55d8757c3decb7d93b3b94721d21c52f18fd50918d9efcdf53b639087608aece6967f133bfb0daab1de7e8
-
SSDEEP
1536:x5FNAlTnd+5rO0PxfXZVBZq5qYXMEIcSg:XTAlOO0Pxfznq5zXug
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" uclivoaf-eagur.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F445A4B-4452-4756-4F44-5A4B44524756}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F445A4B-4452-4756-4F44-5A4B44524756}\IsInstalled = "1" uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F445A4B-4452-4756-4F44-5A4B44524756}\StubPath = "C:\\Windows\\system32\\oucbifoor-idum.exe" uclivoaf-eagur.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F445A4B-4452-4756-4F44-5A4B44524756} uclivoaf-eagur.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\akgeaniv-oucac.exe" uclivoaf-eagur.exe -
Executes dropped EXE 2 IoCs
pid Process 4904 uclivoaf-eagur.exe 2540 uclivoaf-eagur.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" uclivoaf-eagur.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" uclivoaf-eagur.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger uclivoaf-eagur.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" uclivoaf-eagur.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} uclivoaf-eagur.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" uclivoaf-eagur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ulkeadak.dll" uclivoaf-eagur.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uclivoaf-eagur.exe 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe File created C:\Windows\SysWOW64\oucbifoor-idum.exe uclivoaf-eagur.exe File opened for modification C:\Windows\SysWOW64\ulkeadak.dll uclivoaf-eagur.exe File created C:\Windows\SysWOW64\ulkeadak.dll uclivoaf-eagur.exe File created C:\Windows\SysWOW64\uclivoaf-eagur.exe 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe File opened for modification C:\Windows\SysWOW64\akgeaniv-oucac.exe uclivoaf-eagur.exe File created C:\Windows\SysWOW64\akgeaniv-oucac.exe uclivoaf-eagur.exe File opened for modification C:\Windows\SysWOW64\oucbifoor-idum.exe uclivoaf-eagur.exe File opened for modification C:\Windows\SysWOW64\uclivoaf-eagur.exe uclivoaf-eagur.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uclivoaf-eagur.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 2540 uclivoaf-eagur.exe 2540 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe 4904 uclivoaf-eagur.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4904 uclivoaf-eagur.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 428 wrote to memory of 4904 428 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 82 PID 428 wrote to memory of 4904 428 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 82 PID 428 wrote to memory of 4904 428 5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe 82 PID 4904 wrote to memory of 640 4904 uclivoaf-eagur.exe 5 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 2540 4904 uclivoaf-eagur.exe 83 PID 4904 wrote to memory of 2540 4904 uclivoaf-eagur.exe 83 PID 4904 wrote to memory of 2540 4904 uclivoaf-eagur.exe 83 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56 PID 4904 wrote to memory of 3460 4904 uclivoaf-eagur.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:640
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe"C:\Users\Admin\AppData\Local\Temp\5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\uclivoaf-eagur.exe"C:\Windows\SysWOW64\uclivoaf-eagur.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\uclivoaf-eagur.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5c3fce884c66004baf3694f4b2ceff613
SHA1f6feabb35317a70e8f15f8e292536728f133556f
SHA256a0ece8b9654b5262cca389dcd53023a2223244d7e2c3fd584ddbf0cd32d0eb6a
SHA5126bd309953ea74c87c733bcb7e0ae3b0ec32ba1aba7b5a09865ac0a9675ae5afcb2278a15e61adb0aedbc3e63e99bcde8d553fb6177ea5c8ddca426c65d2dfbfb
-
Filesize
72KB
MD53e5c8e44141a30b2a4d4dd12ce53f174
SHA1fa6b433711d20c629ebae35486bf0c5f46e676ae
SHA25612a681e83c1b9760c0bc6e86e2337890ba573a479602dc24b6d97c7ce437ded5
SHA5123fc64ca747067deba00a0db6b8b781a1ee42ed810ac1838847c904f559f220262b89a816999e10bb67cdb505c64a5b799de1df78caba8120904bc542ee71321a
-
Filesize
70KB
MD5b8cc9fe7d1840ecd71fd24cfdda854bc
SHA1935a1f04733722c3918810c5174b387f6beb1fec
SHA2566b0f97eb129528df88d0c90ebaa572ad89111624142501ea72f19c6890032529
SHA512379a3830b7b13655fab55836acc1de5cc5f33c64118d588a7936e6f4c40aae97d88760bbd1d0200228e6b2f135470bfe50bcecce95e34e8d21dff2cdfada1723
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4