Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/01/2025, 18:43
250117-xdcadazngk 10Analysis
-
max time kernel
80s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/01/2025, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win11-20241023-en
General
-
Target
Setup.exe
-
Size
664.7MB
-
MD5
94453b781953e0e6490b2e006a26c4e1
-
SHA1
956ffc7e463d4f89d34f4fb2fffcebb236c9c923
-
SHA256
c6eaf88c01aafc69a1f61fa9eefd16e308a5f9cf3046e6c48a061025a1dae773
-
SHA512
c82a905a4c846d5f6d490eb909d4204a0988f4155fa23e982e31b40a898e94a4d3859d4de2753c6535c56b300727d8b90d05b4e466361d636b1e4d52347d9e04
-
SSDEEP
98304:xMD2B5Pnm2GSxIzkPJQfRG8M1QEOyFmMQbm:xMaBBfGdG4yJQb
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4924 Setup.exe 4924 Setup.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1904 taskmgr.exe Token: SeSystemProfilePrivilege 1904 taskmgr.exe Token: SeCreateGlobalPrivilege 1904 taskmgr.exe Token: 33 1904 taskmgr.exe Token: SeIncBasePriorityPrivilege 1904 taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:4276
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\78ceb5a6-f16c-4651-ad1d-c6011e8ef7b6.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3