Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 07:04
Behavioral task
behavioral1
Sample
3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe
Resource
win10v2004-20241007-en
General
-
Target
3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe
-
Size
1.8MB
-
MD5
4819b2e132f7684036021bfb67924bf4
-
SHA1
ee7ce7aed0de8d89d48e63ad4ed4cee75fb77446
-
SHA256
3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002
-
SHA512
e429b884290728dea5c70420ac81962a5eda29337adecd86b1b506f2c3b92af8b7626f2259db265aab86691d52963fe1be7edf05232f3de7603de52b354ae9e3
-
SSDEEP
12288:Q99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgc:k1gg4CppEI6GGfWDkMQDbGV6eH8tkP
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3164 set thread context of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 set thread context of 4056 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1900 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 1900 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 1900 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 99 PID 3164 wrote to memory of 4056 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 100 PID 3164 wrote to memory of 4056 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 100 PID 3164 wrote to memory of 4056 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 100 PID 3164 wrote to memory of 4056 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 100 PID 3164 wrote to memory of 4056 3164 3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe"C:\Users\Admin\AppData\Local\Temp\3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe"C:\Users\Admin\AppData\Local\Temp\3876f2c2f76fbce3e169840009d749f36245f9c4cd014a57e97c8ab605069002.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵PID:4056
-