Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 13:14
Static task
static1
Behavioral task
behavioral1
Sample
e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
Resource
win10v2004-20241007-en
General
-
Target
e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
-
Size
338KB
-
MD5
6b774827e14741d6bfdfdc2959473210
-
SHA1
8c33fc56e3412d31908c09c689deeba489bd80a0
-
SHA256
e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529
-
SHA512
09720e99acae8c4c9918df9d7394417f1e43ee076d33e3974b3c0c330fa336341aad710ddc27f89525c2b73fced8ffc91cc5013889c5c4207ddaaf7b99197d33
-
SSDEEP
6144:uExz45lS77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:8lS71Dq+pcYWWqtfxvSQj2f
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 464 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d42b8c24 = "C:\\Windows\\apppatch\\svchost.exe" e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d42b8c24 = "C:\\Windows\\apppatch\\svchost.exe" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe File opened for modification C:\Windows\apppatch\svchost.exe e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 464 svchost.exe 464 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4264 e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4264 wrote to memory of 464 4264 e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe 82 PID 4264 wrote to memory of 464 4264 e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe 82 PID 4264 wrote to memory of 464 4264 e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe"C:\Users\Admin\AppData\Local\Temp\e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD509b5a75024898669e909c0f4da4615e0
SHA153ae8b2973702970ccfe7e0f23380ee8a5055a67
SHA256b9d321032fda8ae2098939a9c103e9ceab9dbd60f44dde08bcb716875cd1cab5
SHA512cbbd7889dc3f8e6841321ee6265c4421cd8df449388422ab01cb2df0db0aeaae5a3168c7345a2f625b13fe6a69732f6fbf2f5a72118a1e72f4c92834f5ce8524