Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2024, 08:23
Behavioral task
behavioral1
Sample
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
-
Size
37KB
-
MD5
0e78a49bf12394a06cf511f72d76c040
-
SHA1
6bac7cc2f03a22654151501a02570b41a9db4365
-
SHA256
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
-
SHA512
f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962
-
SSDEEP
384:ckaIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXV2:fFmV10b3+LCtCViVrM+rMRa8Nuzyt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1476 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe -
Executes dropped EXE 1 IoCs
pid Process 4776 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 26 0.tcp.eu.ngrok.io 61 0.tcp.eu.ngrok.io 65 0.tcp.eu.ngrok.io 70 0.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4776 server.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4776 2148 c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe 94 PID 2148 wrote to memory of 4776 2148 c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe 94 PID 2148 wrote to memory of 4776 2148 c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe 94 PID 4776 wrote to memory of 1476 4776 server.exe 98 PID 4776 wrote to memory of 1476 4776 server.exe 98 PID 4776 wrote to memory of 1476 4776 server.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1476
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD50e78a49bf12394a06cf511f72d76c040
SHA16bac7cc2f03a22654151501a02570b41a9db4365
SHA256c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
SHA512f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962