Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20/11/2024, 18:21
General
-
Target
8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe
-
Size
64KB
-
MD5
d098ed5d12ec03c894ce42da6e38c2d6
-
SHA1
2e2a54824aba72e90d634d255999b2eee9503306
-
SHA256
8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b
-
SHA512
5b9df34ad34cc2f9d46580654144008976124c00752c95d3adbe275159de1d06a4077658fc42846590511947d0fdef4f9372c36196eb2759b56891eaaa03842f
-
SSDEEP
1536:9VB9ew1O/1hhDiZnHba3W74s3KdWGGZttlI6TRqnouy8hyG+jKY:9Ve1fh8nHbao6dWntI6TRyouthyLv
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 10 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 1 IoCs
-
Modifies Control Panel 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe"C:\Users\Admin\AppData\Local\Temp\8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Windows Media Player\svchost.exe"C:\Program Files (x86)\Windows Media Player\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Windows Media Player\wmplayerc.exe"C:\Program Files (x86)\Windows Media Player\wmplayerc.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\svchost.exe"C:\Program Files (x86)\Windows Media Player\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5a3565eec669697a3d6f7b35fb75fcb26
SHA16e81f83c057ff5da8f800a23f32f717a3e0ca2dc
SHA256a7e6bd8d46e6eb541a071fb8a94b9567ecbb1c353764e36fae8b6f41b4a3d1d5
SHA5120f815447afd11be56e49455bb4246b6e31063ae5f72743109a644d4d0fb0c79e78cf7b9bf17b19684fba25a72a66b2e4ad6a481871ae6792472a9e9942a20032
-
Filesize
64KB
MD5c3fe1a00aeda2c021089b3a19a4fe654
SHA117ac72516bb4893aa700583b8504d1c2b789d8b8
SHA2562bea2c14cc9d15a0d28ddae02698005bbead2bfdde531aa6b74f19c56b76bfec
SHA512bdc257c329a322bb8be6a48efb5512b748de06a8e1292fa769c13eb40285b8e0400dc14208eeebbd76e3a44df22a81d5004b083fefdcfd35cbe5db4325026d02
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
64KB
MD5584ce8bcd32e8151fdcef49313bf4403
SHA1854a02c7ea29db78c3fd549777f491f2d6ea903a
SHA2564ffc358c469505d71ff8256c5d3bb24a662a600bee8cc94dc04e4d80f74d0092
SHA5121e2289922c5285b8ae954e62fa0bbd9bc163e4e766cc2d62149c2fcfd6a20c8f41cac0477547752c2a9a642fcac09b83f90e142ce63605254bf5f28663a8b1f6
-
Filesize
256KB
MD5adbd8353954edbe5e0620c5bdcad4363
SHA1aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA25664eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA51287bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2
-
Filesize
1024KB
MD5fd3d35b56e67455f537b1bfd52e3154e
SHA1876b9e22e00f7ef42d6e4117833a0fd753011ed5
SHA256a0f05d0321cac2581d514550bc2b06c25c48474046357095761eb6789550ed53
SHA5128b45fee5767ba8679bf1dd128a83dd6b834357a5e9b0cf7f5bb63f82ddaf8b4a21de22bea6e1dd4d45a0cff2dda9c1cf8d34326caf4f1f92747978a4100e2866
-
Filesize
68KB
MD5b6152fd05e7492f02c7d69bbb97217ae
SHA10441519e0bae1d0356233664d98d8cbc59dcbcb4
SHA256cf3fabefffc7b733cc43c890c1f334b8318ca11c513dc6e19c79e316fd914479
SHA5124262ce9cb9e2b8e6cbe989ff685167b4e73b58739d7ff9130838f6440a09f8d8f89ea28f40049f3b726fb1f2dd775e0ae4c3f57732ba34443fc7b2d973a51a34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
114B
MD5e89f75f918dbdcee28604d4e09dd71d7
SHA1f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA2566dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA5128df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0
-
Filesize
1KB
MD52c9df336b981246269115c8a4dba356d
SHA1e4682fc0fc37e956710e0adf155623ce982e870d
SHA2562e05949aa3e454b1a78c11f3f96762d0cfef69a988cc60bad30b68daebdbb16f
SHA512b08c5feb93e7dc131502e77b67683c4fcf3cc098c25b8071e1aeb25d1eeb76e1d2099ffbfbd14924faf3c4681f034da95c3d3d69456e4b783d72357a56e7b129
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB