Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Signatures
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4356 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation run.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 444.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe conhost.exe -
Executes dropped EXE 3 IoCs
pid Process 4692 444.exe 4756 run.exe 3644 conhost.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1952 icacls.exe 1584 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .." conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .." conhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 raw.githubusercontent.com 24 raw.githubusercontent.com -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf conhost.exe File created C:\autorun.inf conhost.exe File opened for modification C:\autorun.inf conhost.exe File created D:\autorun.inf conhost.exe File created F:\autorun.inf conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language run.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe 3644 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3644 conhost.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 4076 4363463463464363463463463.exe Token: SeDebugPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe Token: 33 3644 conhost.exe Token: SeIncBasePriorityPrivilege 3644 conhost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4076 wrote to memory of 4692 4076 4363463463464363463463463.exe 98 PID 4076 wrote to memory of 4692 4076 4363463463464363463463463.exe 98 PID 4076 wrote to memory of 4692 4076 4363463463464363463463463.exe 98 PID 4076 wrote to memory of 4756 4076 4363463463464363463463463.exe 99 PID 4076 wrote to memory of 4756 4076 4363463463464363463463463.exe 99 PID 4076 wrote to memory of 4756 4076 4363463463464363463463463.exe 99 PID 4756 wrote to memory of 3452 4756 run.exe 100 PID 4756 wrote to memory of 3452 4756 run.exe 100 PID 3452 wrote to memory of 1952 3452 cmd.exe 104 PID 3452 wrote to memory of 1952 3452 cmd.exe 104 PID 3452 wrote to memory of 1584 3452 cmd.exe 105 PID 3452 wrote to memory of 1584 3452 cmd.exe 105 PID 3452 wrote to memory of 2416 3452 cmd.exe 106 PID 3452 wrote to memory of 2416 3452 cmd.exe 106 PID 3452 wrote to memory of 5008 3452 cmd.exe 107 PID 3452 wrote to memory of 5008 3452 cmd.exe 107 PID 3452 wrote to memory of 3508 3452 cmd.exe 108 PID 3452 wrote to memory of 3508 3452 cmd.exe 108 PID 3452 wrote to memory of 2252 3452 cmd.exe 109 PID 3452 wrote to memory of 2252 3452 cmd.exe 109 PID 3452 wrote to memory of 2896 3452 cmd.exe 110 PID 3452 wrote to memory of 2896 3452 cmd.exe 110 PID 3452 wrote to memory of 2168 3452 cmd.exe 111 PID 3452 wrote to memory of 2168 3452 cmd.exe 111 PID 3452 wrote to memory of 3180 3452 cmd.exe 112 PID 3452 wrote to memory of 3180 3452 cmd.exe 112 PID 3452 wrote to memory of 4148 3452 cmd.exe 113 PID 3452 wrote to memory of 4148 3452 cmd.exe 113 PID 3452 wrote to memory of 640 3452 cmd.exe 114 PID 3452 wrote to memory of 640 3452 cmd.exe 114 PID 3452 wrote to memory of 4948 3452 cmd.exe 115 PID 3452 wrote to memory of 4948 3452 cmd.exe 115 PID 4692 wrote to memory of 3644 4692 444.exe 118 PID 4692 wrote to memory of 3644 4692 444.exe 118 PID 4692 wrote to memory of 3644 4692 444.exe 118 PID 3644 wrote to memory of 4356 3644 conhost.exe 119 PID 3644 wrote to memory of 4356 3644 conhost.exe 119 PID 3644 wrote to memory of 4356 3644 conhost.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 5008 attrib.exe 3508 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\Files\444.exe"C:\Users\Admin\AppData\Local\Temp\Files\444.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\run.exe"C:\Users\Admin\AppData\Local\Temp\Files\run.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\27C.tmp\27D.tmp\27E.bat C:\Users\Admin\AppData\Local\Temp\Files\run.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c4⤵
- Modifies file permissions
PID:1952
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c4⤵
- Modifies file permissions
PID:1584
-
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2416
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"4⤵
- Views/modifies file attributes
PID:5008
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"4⤵
- Views/modifies file attributes
PID:3508
-
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2252
-
-
C:\Windows\system32\schtasks.exeSchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F4⤵PID:2896
-
-
C:\Windows\system32\schtasks.exeSchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F4⤵PID:2168
-
-
C:\Windows\system32\schtasks.exeSchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F4⤵PID:3180
-
-
C:\Windows\system32\schtasks.exeSchTasks /Delete /TN "Fix Getting Devices" /F4⤵PID:4148
-
-
C:\Windows\system32\schtasks.exeSchTasks /Delete /TN "Windows Optimize" /F4⤵PID:640
-
-
C:\Windows\system32\schtasks.exeSchTasks /Delete /TN "ChangeWallpaper" /F4⤵PID:4948
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5badacd09f87be0512dc647adc35d85eb
SHA1a8313f919df88c40ad5750e18ac7006ac8bc9da6
SHA25677ed2cbe0b5588bcdc370b9c2f2d99b3191e54cd87e8a132e3d01aebb11fa5db
SHA512fb3c8f1130459304d9bc59d373203c65c7c5318cb3e2986d5ccb31f8f49118242a89ae8eaa6295bb3ef986c147f57826b298328aa62bc482db55f5fb7ed66986
-
Filesize
37KB
MD5fb0bdd758f8a9f405e6af2358da06ae1
SHA16c283ab5e49e6fe3a93a996f850a5639fc49e3f5
SHA2569da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf
SHA51271d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253
-
Filesize
88KB
MD54c2bc1df6a253aeedb93fca6703c944c
SHA1f9b33cc3ead7af759cdd205f489ec29fde4c954d
SHA256daaa52e4529cd43d8293010ad6125dff9ccba7cacdeea7f6d0dc02572e682b5f
SHA512145217ec581c2597dc066684f68f119f0a2579f7e9000d6cc1760c411e6a73ed7b957479ea53b56899fefb99ddca98bca91d1b8fc43cedefa49ed95a7c173944