Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
5s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2024, 22:12
Behavioral task
behavioral1
Sample
cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe
Resource
win10v2004-20241007-en
General
-
Target
cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe
-
Size
70KB
-
MD5
028940e1f2ecb5ef9aba3dcd590d3260
-
SHA1
066d9db987d05c89b055f2f870ce76af4930ae9c
-
SHA256
cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181
-
SHA512
a075c6d5923b5978bbb20f0bee773a46b698fa7ad946aa57f98dc51f5403fe6cc9b8e07f35bfaf457f6d386f3d213e2f63d7404cf4840a9a991197ddf77202ca
-
SSDEEP
1536:gFTnqpKxynVZGeifCSzTPb542HkLbvJfxa:gFT0Geifrvb59H+bvJ5a
Malware Config
Signatures
-
BlackNET payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023c4e-18.dat family_blacknet -
Blacknet family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x000a000000023c4e-18.dat disable_win_def -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe -
Executes dropped EXE 1 IoCs
pid Process 3696 WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2965b7eabf9eb6ce83de7d2260ab71ba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe" cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2965b7eabf9eb6ce83de7d2260ab71ba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3696 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 90 PID 4272 wrote to memory of 3696 4272 cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe"C:\Users\Admin\AppData\Local\Temp\cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
PID:3696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5028940e1f2ecb5ef9aba3dcd590d3260
SHA1066d9db987d05c89b055f2f870ce76af4930ae9c
SHA256cad8c73ebaabdfc1557482f83e18d543be6bd15e723bb89670398f8c4a3e2181
SHA512a075c6d5923b5978bbb20f0bee773a46b698fa7ad946aa57f98dc51f5403fe6cc9b8e07f35bfaf457f6d386f3d213e2f63d7404cf4840a9a991197ddf77202ca