Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 16:53
Static task
static1
Behavioral task
behavioral1
Sample
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
Resource
win7-20240903-en
General
-
Target
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
-
Size
263KB
-
MD5
582fb65add01ce95d827b96006a3ff42
-
SHA1
d8931a791f8ef3d4015aec2bffa47808e28877b5
-
SHA256
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01
-
SHA512
6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141
-
SSDEEP
6144:iz+92mhAMJ/cPl3i+eLba0WZj+ufaZef6IMLWKH1cLb1UyOr0Sg3:iK2mhAMJ/cPlQIFXfaZefAyb1FOB2
Malware Config
Signatures
-
Detects PlugX payload 22 IoCs
resource yara_rule behavioral2/memory/1888-20-0x00000000005D0000-0x0000000000600000-memory.dmp family_plugx behavioral2/memory/1888-21-0x00000000005D0000-0x0000000000600000-memory.dmp family_plugx behavioral2/memory/3016-41-0x00000000006F0000-0x0000000000720000-memory.dmp family_plugx behavioral2/memory/3016-40-0x00000000006F0000-0x0000000000720000-memory.dmp family_plugx behavioral2/memory/4696-45-0x0000000000D00000-0x0000000000D30000-memory.dmp family_plugx behavioral2/memory/4696-46-0x0000000000D00000-0x0000000000D30000-memory.dmp family_plugx behavioral2/memory/3744-47-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-48-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-60-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-62-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-65-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-61-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-67-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-66-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/4696-70-0x0000000000D00000-0x0000000000D30000-memory.dmp family_plugx behavioral2/memory/1888-73-0x00000000005D0000-0x0000000000600000-memory.dmp family_plugx behavioral2/memory/3016-74-0x00000000006F0000-0x0000000000720000-memory.dmp family_plugx behavioral2/memory/4820-75-0x0000000001030000-0x0000000001060000-memory.dmp family_plugx behavioral2/memory/4820-78-0x0000000001030000-0x0000000001060000-memory.dmp family_plugx behavioral2/memory/4820-77-0x0000000001030000-0x0000000001060000-memory.dmp family_plugx behavioral2/memory/3744-79-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx behavioral2/memory/3744-82-0x00000000009D0000-0x0000000000A00000-memory.dmp family_plugx -
Plugx family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe -
Deletes itself 1 IoCs
pid Process 1888 Nv.exe -
Executes dropped EXE 3 IoCs
pid Process 1888 Nv.exe 3016 Nv.exe 4696 Nv.exe -
Loads dropped DLL 3 IoCs
pid Process 1888 Nv.exe 3016 Nv.exe 4696 Nv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004500330032004400390035004300380038004500350035004200430035000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1888 Nv.exe 1888 Nv.exe 3744 svchost.exe 3744 svchost.exe 3744 svchost.exe 3744 svchost.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 3744 svchost.exe 3744 svchost.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 3744 svchost.exe 3744 svchost.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 3744 svchost.exe 3744 svchost.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 3744 svchost.exe 3744 svchost.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3744 svchost.exe 4820 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1888 Nv.exe Token: SeTcbPrivilege 1888 Nv.exe Token: SeDebugPrivilege 3016 Nv.exe Token: SeTcbPrivilege 3016 Nv.exe Token: SeDebugPrivilege 4696 Nv.exe Token: SeTcbPrivilege 4696 Nv.exe Token: SeDebugPrivilege 3744 svchost.exe Token: SeTcbPrivilege 3744 svchost.exe Token: SeDebugPrivilege 4820 msiexec.exe Token: SeTcbPrivilege 4820 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4240 wrote to memory of 1888 4240 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 83 PID 4240 wrote to memory of 1888 4240 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 83 PID 4240 wrote to memory of 1888 4240 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 83 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 4696 wrote to memory of 3744 4696 Nv.exe 88 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95 PID 3744 wrote to memory of 4820 3744 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 100 18881⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 37443⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
622B
MD51474198ff70b99a8c583921401d33e01
SHA1cc9011d46afc339f45f0a5b36014efc9565cfbb2
SHA256f92210fe1c06f4ff8f76344273621d6744a6d48890e85c4da2cada1b2d7ab4ae
SHA512dbe25a3fe20e2ad6d4772f1c33491a8c8efdb05027a68cf64294590f165b34b35d4fb1aadb779a2d04f0c08ad6de08c397e90e6e860ead78d53435d0483b16d0
-
Filesize
764B
MD58f9d348c083719004101cefe57e8445d
SHA14359c722b9a09cd15365c12d0cef47ff9182aad2
SHA2567f03bca3715743b8cccba09d06b6867f7ce7e46baee92e7a3e7f5ed0589678a6
SHA512512d835e113786cb28300c3c16e47971c2b8c898436ae74ed2329f093320d686ad617978d47f483209861bbf7d147eac068e449cb7ba0d55a806eae8feadeff3
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
120KB
MD5e1e6d954482a108020c8e471bd0790e4
SHA1138def3945437e9d81902f00b1119795140ae8bf
SHA2569f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954
SHA5127573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691