Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 02:22
Static task
static1
Behavioral task
behavioral1
Sample
99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe
Resource
win7-20240903-en
General
-
Target
99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe
-
Size
349KB
-
MD5
75d6e84145a22c3da06bbf6caed60668
-
SHA1
4fe0463268f5d056ee71c29ddcbb492dce02d8d5
-
SHA256
99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3
-
SHA512
a9c0080e0581332c08bcf80d03a7bc7dfbd0824f9e947814f08fcb1078d767599683c800f60882b32edb688821bc66fa349ad1eab3a76664f3a967bc7ad1be49
-
SSDEEP
6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIF:FB1Q6rpr7MrswfLjGwW5xFdRyJpo
Malware Config
Extracted
nanocore
1.2.2.2
bemery2.no-ip.biz:57628
127.0.0.1:57628
997af15f-5576-4030-975c-eb3264fb6789
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-23T21:31:33.540664436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
57628
-
default_group
grace
-
enable_debug_mode
true
-
gc_threshold
1.048576e+08
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+09
-
mutex
997af15f-5576-4030-975c-eb3264fb6789
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
bemery2.no-ip.biz
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.2
-
wan_timeout
8000
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4564 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe" RegAsm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3940 set thread context of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DHCP Service\dhcpsvc.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsvc.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 620 ping.exe 4496 ping.exe 4472 ping.exe 4756 ping.exe 2468 ping.exe 3532 ping.exe 4368 ping.exe 4372 ping.exe 1028 ping.exe 2180 ping.exe 2312 ping.exe 4416 ping.exe 3048 ping.exe -
Runs ping.exe 1 TTPs 13 IoCs
pid Process 4368 ping.exe 620 ping.exe 1028 ping.exe 2180 ping.exe 3048 ping.exe 2468 ping.exe 3532 ping.exe 2312 ping.exe 4416 ping.exe 4372 ping.exe 4496 ping.exe 4472 ping.exe 4756 ping.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4628 RegAsm.exe 4628 RegAsm.exe 4628 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4628 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe Token: SeDebugPrivilege 4628 RegAsm.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3940 wrote to memory of 4496 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 93 PID 3940 wrote to memory of 4496 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 93 PID 3940 wrote to memory of 4496 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 93 PID 3940 wrote to memory of 4472 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 100 PID 3940 wrote to memory of 4472 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 100 PID 3940 wrote to memory of 4472 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 100 PID 3940 wrote to memory of 1028 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 106 PID 3940 wrote to memory of 1028 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 106 PID 3940 wrote to memory of 1028 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 106 PID 3940 wrote to memory of 4756 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 109 PID 3940 wrote to memory of 4756 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 109 PID 3940 wrote to memory of 4756 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 109 PID 3940 wrote to memory of 2468 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 112 PID 3940 wrote to memory of 2468 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 112 PID 3940 wrote to memory of 2468 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 112 PID 3940 wrote to memory of 2180 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 116 PID 3940 wrote to memory of 2180 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 116 PID 3940 wrote to memory of 2180 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 116 PID 3940 wrote to memory of 3532 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 118 PID 3940 wrote to memory of 3532 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 118 PID 3940 wrote to memory of 3532 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 118 PID 3940 wrote to memory of 2312 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 121 PID 3940 wrote to memory of 2312 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 121 PID 3940 wrote to memory of 2312 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 121 PID 3940 wrote to memory of 4416 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 130 PID 3940 wrote to memory of 4416 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 130 PID 3940 wrote to memory of 4416 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 130 PID 3940 wrote to memory of 3048 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 133 PID 3940 wrote to memory of 3048 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 133 PID 3940 wrote to memory of 3048 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 133 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4628 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 136 PID 3940 wrote to memory of 4564 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 137 PID 3940 wrote to memory of 4564 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 137 PID 3940 wrote to memory of 4564 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 137 PID 3940 wrote to memory of 4368 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 139 PID 3940 wrote to memory of 4368 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 139 PID 3940 wrote to memory of 4368 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 139 PID 3940 wrote to memory of 4372 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 150 PID 3940 wrote to memory of 4372 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 150 PID 3940 wrote to memory of 4372 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 150 PID 3940 wrote to memory of 620 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 153 PID 3940 wrote to memory of 620 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 153 PID 3940 wrote to memory of 620 3940 99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe 153 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4564 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe"C:\Users\Admin\AppData\Local\Temp\99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4496
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1028
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4756
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2468
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2312
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4416
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3048
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\99e02e2915db79a393f066e24150ac61ded169f7046035f986a3228d6c6094c3.exe2⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4564
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4368
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4372
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:620
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1