Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
34s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/11/2024, 01:53
Behavioral task
behavioral1
Sample
522dfde09e90aad84c900ffb7c9f5acee40a5ac68ee6846d8cf7284503cb1176
Resource
win11-20241007-en
General
-
Target
522dfde09e90aad84c900ffb7c9f5acee40a5ac68ee6846d8cf7284503cb1176
-
Size
256KB
-
MD5
ce39407f5442c56fdc342737c58b31d2
-
SHA1
363a5eec4245cabb4477bd1bb36e09f845342d55
-
SHA256
522dfde09e90aad84c900ffb7c9f5acee40a5ac68ee6846d8cf7284503cb1176
-
SHA512
2fabd6510cee1acf2471f13633a5f3449b23aadc64fe7f92647f14f5d67228a43aacf3f50b7aa29fd6bbad9bfa6955a550f4d1d64ea7bf5b2a620f5e9b7a08b8
-
SSDEEP
3072:fTV/wi4lr55R9TxlnsPsUw0jOuw+caARZBrNOOsz5poVUDMp9YgjgTA0eo8JBcTF:Z/hkaqZI3
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1480 Taskmgr.exe Token: SeSystemProfilePrivilege 1480 Taskmgr.exe Token: SeCreateGlobalPrivilege 1480 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe 1480 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1628 MiniSearchHost.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\522dfde09e90aad84c900ffb7c9f5acee40a5ac68ee6846d8cf7284503cb11761⤵PID:1684
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1628
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3704
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\64a348c9-ae16-460a-bd64-9db06802b21e.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD50c71204dc7dd088aa8f1b279e29d7bf5
SHA1475dbeb8589312574e6b5f3ca2913b8b80af155b
SHA25628f655f695c0992c73fa7b02fca2c93b65aec5b8c82297e1be30ed9016eb54a1
SHA512f10ec78286923446833e4f19900a790be0440885688fe273a811648de090a765ea82ef8ccc062987ec12285e0de608b803671d01358a18dd4504f90845169826
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD576fbe77cbc68f3bd5f0decad25775716
SHA12ebc2dea0b2224ea73fb5413d94ad38218122bf3
SHA2568d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6
SHA5121a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230