Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 13:25
Behavioral task
behavioral1
Sample
335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe
Resource
win10v2004-20241007-en
General
-
Target
335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe
-
Size
3.4MB
-
MD5
7519fab11e73a51ddd403bfc9008cff0
-
SHA1
b1b07a33d54859aaa1e2e6dbc22519051e07e6a9
-
SHA256
335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8f
-
SHA512
81bcc890db76771c0a685787da2660fe5f3117bb965c6ad6b3b6d651bcc22b12a9d415efadc918591eee1c3a59905e5479e7e785d94c35890f84122c01df7f1f
-
SSDEEP
98304:p8Fl84qUQhj3J2CBCoX05otUScs8QKkc7LkCvL:aS4q5jZ2K1WSHCvL
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4920 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe -
Executes dropped EXE 1 IoCs
pid Process 4524 Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe 4524 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4524 Server.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe Token: 33 4524 Server.exe Token: SeIncBasePriorityPrivilege 4524 Server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1644 wrote to memory of 4524 1644 335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe 86 PID 1644 wrote to memory of 4524 1644 335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe 86 PID 1644 wrote to memory of 4524 1644 335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe 86 PID 4524 wrote to memory of 4920 4524 Server.exe 95 PID 4524 wrote to memory of 4920 4524 Server.exe 95 PID 4524 wrote to memory of 4920 4524 Server.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe"C:\Users\Admin\AppData\Local\Temp\335031654ecc1799c90f681ca309b9377d6be0a5561d457cc99ed73e839fbf8fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4920
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD58e9b90e4ab289645ddccd5247deee261
SHA1683d9e6b051f3d71e98e3c5f46c4486c68655689
SHA25617950308df05494a2ba5ff523b839a6d9a30793647bff3a63b606ef7ca33bf8d
SHA51258cff5b191e09b2dbc0e23747089d51ea994d206614fae44a331e7cf97aaaddfc7dc16aa9d802c08803a719ef6b62b47b9409147b1f18d0e3e7874d90fdc4dae