Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
Resource
win7-20240729-en
General
-
Target
e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
-
Size
284KB
-
MD5
35b803718620e93d26e57596887ccfd4
-
SHA1
61e4a8cb8cc84acd6a846236964c2dc97065d346
-
SHA256
e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28
-
SHA512
9bfa9aff504396b08415a0361f34e985c9dde2e109d8a3d5dec71a83bf25b832781572ccc6164c23d602807fc108b2f53e41874578a5d4afb88b2c81f73bfe12
-
SSDEEP
3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lCi:mPA6wxmuJspr2l3
Malware Config
Signatures
-
Andromeda family
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/2668-61-0x0000000001280000-0x0000000001285000-memory.dmp family_andromeda behavioral2/memory/2668-65-0x0000000001280000-0x0000000001285000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\37538 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msbfzl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe -
Executes dropped EXE 3 IoCs
pid Process 2432 skyrpe.exe 3180 skyrpe.exe 3308 skyrpe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skyrpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 skyrpe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1576 set thread context of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 2432 set thread context of 3180 2432 skyrpe.exe 97 PID 2432 set thread context of 3308 2432 skyrpe.exe 98 -
resource yara_rule behavioral2/memory/4424-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4424-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4424-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4424-39-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4424-57-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3180-67-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msbfzl.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skyrpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3308 skyrpe.exe 3308 skyrpe.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3308 skyrpe.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe Token: SeDebugPrivilege 3180 skyrpe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 2432 skyrpe.exe 3180 skyrpe.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 1576 wrote to memory of 4424 1576 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 90 PID 4424 wrote to memory of 4548 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 91 PID 4424 wrote to memory of 4548 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 91 PID 4424 wrote to memory of 4548 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 91 PID 4548 wrote to memory of 2964 4548 cmd.exe 94 PID 4548 wrote to memory of 2964 4548 cmd.exe 94 PID 4548 wrote to memory of 2964 4548 cmd.exe 94 PID 4424 wrote to memory of 2432 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 95 PID 4424 wrote to memory of 2432 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 95 PID 4424 wrote to memory of 2432 4424 e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe 95 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3180 2432 skyrpe.exe 97 PID 2432 wrote to memory of 3308 2432 skyrpe.exe 98 PID 2432 wrote to memory of 3308 2432 skyrpe.exe 98 PID 2432 wrote to memory of 3308 2432 skyrpe.exe 98 PID 2432 wrote to memory of 3308 2432 skyrpe.exe 98 PID 2432 wrote to memory of 3308 2432 skyrpe.exe 98 PID 2432 wrote to memory of 3308 2432 skyrpe.exe 98 PID 3308 wrote to memory of 2668 3308 skyrpe.exe 99 PID 3308 wrote to memory of 2668 3308 skyrpe.exe 99 PID 3308 wrote to memory of 2668 3308 skyrpe.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe"C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe"C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIITQ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2964
-
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3180
-
-
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2668
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD50654f004b2e314bad7f75867e91da37d
SHA14232c22e7340b12108d86e3cb35ed288a3dbc7f1
SHA256ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249
SHA512dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553
-
Filesize
284KB
MD550b2ebdc16f603916f035426269d3936
SHA124a317add9da5380bd41fd4e81ab2242fefb7640
SHA256b50af5ce654ed4a4a1c23987f57e7d4fbebc1ca9c769a03246da9bd0a8438b3a
SHA5120402b2b589545ff110825862ada82d45fff28b6c1e780a8af0ab7477f38aed31fad0ffb1d9028c53ac243262f1f467773c65d9acf844ca87f8dc3bb455ca88ec