Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Resource
win7-20240903-en
General
-
Target
03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
-
Size
442KB
-
MD5
48a52bf6785639698f907abd05e40f84
-
SHA1
6de2644a5742e53fe497be30388e952455833713
-
SHA256
03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490
-
SHA512
6605fddd77733550bbdbf5772b3718444717c420281ebcb3a3f1fb9155c3ae5aa6cea9c87381a0866fb59098a08397f6c02ac0f11a879265d331e4948d843574
-
SSDEEP
12288:gO3nzR81/CPPYYg8btjp5lQ6GGb2I+ON3BVHLIcgwazbXkZ:5zO1/mYYg85N5lB2PEzOU
Malware Config
Signatures
-
Imminent family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Executes dropped EXE 2 IoCs
pid Process 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe File opened for modification C:\Windows\assembly\Desktop.ini 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2208 set thread context of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2080 set thread context of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe File created C:\Windows\assembly\Desktop.ini 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe File opened for modification C:\Windows\assembly\Desktop.ini 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 32 cmd.exe 4288 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4288 PING.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Token: SeDebugPrivilege 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Token: SeDebugPrivilege 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Token: SeDebugPrivilege 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Token: 33 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe Token: SeIncBasePriorityPrivilege 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1224 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 2208 wrote to memory of 3584 2208 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 82 PID 3584 wrote to memory of 2080 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 84 PID 3584 wrote to memory of 2080 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 84 PID 3584 wrote to memory of 2080 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 84 PID 3584 wrote to memory of 32 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 85 PID 3584 wrote to memory of 32 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 85 PID 3584 wrote to memory of 32 3584 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 85 PID 32 wrote to memory of 4288 32 cmd.exe 87 PID 32 wrote to memory of 4288 32 cmd.exe 87 PID 32 wrote to memory of 4288 32 cmd.exe 87 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88 PID 2080 wrote to memory of 1224 2080 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4288
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe.log
Filesize400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307
-
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Filesize442KB
MD548a52bf6785639698f907abd05e40f84
SHA16de2644a5742e53fe497be30388e952455833713
SHA25603bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490
SHA5126605fddd77733550bbdbf5772b3718444717c420281ebcb3a3f1fb9155c3ae5aa6cea9c87381a0866fb59098a08397f6c02ac0f11a879265d331e4948d843574