Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 06:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe
-
Size
5.0MB
-
MD5
83fcb5ac7f852a8c55ecad65d83e8450
-
SHA1
72504900c20f1c186fb582867392caf31dabc545
-
SHA256
2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958
-
SHA512
1c1abc3c9d3ebbf5577090fc506513cfdcb08544a8e4e12a4f881f8db4b5c52966590a8dd4a26f8d9ceba2f26241d19f597633a1aa28fa783f56700a6db270a2
-
SSDEEP
24576:qIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII3:
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe" 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe -
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Windows\System32\drivers\etc\lmhosts.sam 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Windows\System32\drivers\etc\networks 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Windows\System32\drivers\etc\protocol 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Windows\System32\drivers\etc\services 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KasperskyScanner.hta 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YourMomIsGay.html 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YourMom.vbs 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSDOS32.mp3 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSDOS323.mp3 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus.bat 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus2.vbs 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus3.vbs 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "\\C:\\Users\\Admin\\AppData\\Local\\Temp\\2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe\\" 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 raw.githubusercontent.com 14 raw.githubusercontent.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pencht.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\ado\msadomd.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msdaprsr.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\oledb32r.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msdaremr.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaw.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\wab32.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF64.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdatt.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchui.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdaora.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdasqlr.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msaddsr.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penjpn.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\ado\msader15.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\ado\msado15.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdaps.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msdfmap.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msadds.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\msadc\msadce.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\msdatl3.dll 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4944 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe Token: SeDebugPrivilege 4944 2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe"C:\Users\Admin\AppData\Local\Temp\2f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958N.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD583fcb5ac7f852a8c55ecad65d83e8450
SHA172504900c20f1c186fb582867392caf31dabc545
SHA2562f48478d6e129ed9b142eec7b8d2063f85e8296bfbaca5a1da8ebea26e344958
SHA5121c1abc3c9d3ebbf5577090fc506513cfdcb08544a8e4e12a4f881f8db4b5c52966590a8dd4a26f8d9ceba2f26241d19f597633a1aa28fa783f56700a6db270a2
-
Filesize
79B
MD58b20ea0476a4ef666ffde47cf8d160b1
SHA1528db63e91e4c53a7b591dae179b501ed1b567e6
SHA2568fd9c10a4641311464f5a6529b4d2b23c5727d44cf735b05336d63fb905c9173
SHA5128286bfcfe07695ba7aa5a3f75e6ae80643fc3b7c72f21246a9f3c614c1fe5eed70a438227335f0dce8a4014e0fc8975718efd13c3316314ebd28d88b065ab844