Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2025, 15:34
Behavioral task
behavioral1
Sample
private1.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
private1.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
private1.exe
-
Size
37KB
-
MD5
cd4db83a43d07e5e947bec896f7fdf41
-
SHA1
8c788d7bb0139164e84556a84f365fd9743233ce
-
SHA256
acd71e404bc78050b49f052230f570afdf1063420619663e8848187c3444ce2f
-
SHA512
66933df632a9a1eb16825bdb1d8d584cf94b1787b4dd96008256909aee75ab17e0ca6452d7a5253b8c8cc3491f79281bde481c9010672fc0240bf5bcab81ac6b
-
SSDEEP
384:6cx97uxgibbjpPu7w9qyMTytrXXWsBsIDzCrAF+rMRTyN/0L+EcoinblneHQM3eJ:lCNN9ZMTytrWKsIyrM+rMRa8NuDvt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4400 netsh.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf private1.exe File created D:\autorun.inf private1.exe File created F:\autorun.inf private1.exe File opened for modification F:\autorun.inf private1.exe File created C:\autorun.inf private1.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language private1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Kills process with taskkill 1 IoCs
pid Process 3212 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 1188 taskmgr.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 3300 private1.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 3300 private1.exe Token: SeDebugPrivilege 3212 taskkill.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: SeDebugPrivilege 1188 taskmgr.exe Token: SeSystemProfilePrivilege 1188 taskmgr.exe Token: SeCreateGlobalPrivilege 1188 taskmgr.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe Token: 33 3300 private1.exe Token: SeIncBasePriorityPrivilege 3300 private1.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe 1188 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3300 wrote to memory of 4400 3300 private1.exe 82 PID 3300 wrote to memory of 4400 3300 private1.exe 82 PID 3300 wrote to memory of 4400 3300 private1.exe 82 PID 3300 wrote to memory of 3212 3300 private1.exe 83 PID 3300 wrote to memory of 3212 3300 private1.exe 83 PID 3300 wrote to memory of 3212 3300 private1.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\private1.exe"C:\Users\Admin\AppData\Local\Temp\private1.exe"1⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\private1.exe" "private1.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4400
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4820
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1