Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 19:29
Behavioral task
behavioral1
Sample
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
Resource
win7-20240729-en
General
-
Target
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
-
Size
803KB
-
MD5
4d70c4f7594371493e4372f4c5cc2c49
-
SHA1
019f726fc46d6ce1a73cd87a46e2d565bf8271eb
-
SHA256
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f
-
SHA512
685661f913b2d348929de9981575d343bee7a0c9beb152df09f24fb44d8260b787815fa13039a08059daf2073f898f6f51459141589689dab45fe52851ab1934
-
SSDEEP
24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIwE:b2/P1UOtOKC6GrYsgxTQTID
Malware Config
Signatures
-
Imminent family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation refsutil.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation refsutil.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation refsutil.exe -
Executes dropped EXE 3 IoCs
pid Process 3280 refsutil.exe 4436 refsutil.exe 1764 refsutil.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1468-12-0x0000000000BE0000-0x0000000000D68000-memory.dmp autoit_exe behavioral2/memory/3280-32-0x0000000000BC0000-0x0000000000D48000-memory.dmp autoit_exe behavioral2/memory/4436-41-0x0000000000BC0000-0x0000000000D48000-memory.dmp autoit_exe behavioral2/memory/1764-50-0x0000000000BC0000-0x0000000000D48000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1468 set thread context of 1992 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 3280 set thread context of 3012 3280 refsutil.exe 103 PID 4436 set thread context of 4824 4436 refsutil.exe 116 PID 1764 set thread context of 4636 1764 refsutil.exe 120 -
resource yara_rule behavioral2/memory/1468-0-0x0000000000BE0000-0x0000000000D68000-memory.dmp upx behavioral2/memory/1468-12-0x0000000000BE0000-0x0000000000D68000-memory.dmp upx behavioral2/files/0x0007000000023c9f-22.dat upx behavioral2/memory/3280-24-0x0000000000BC0000-0x0000000000D48000-memory.dmp upx behavioral2/memory/3280-32-0x0000000000BC0000-0x0000000000D48000-memory.dmp upx behavioral2/memory/4436-41-0x0000000000BC0000-0x0000000000D48000-memory.dmp upx behavioral2/memory/1764-50-0x0000000000BC0000-0x0000000000D48000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3624 schtasks.exe 5020 schtasks.exe 4960 schtasks.exe 4268 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1992 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1992 RegAsm.exe Token: 33 1992 RegAsm.exe Token: SeIncBasePriorityPrivilege 1992 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1992 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1468 wrote to memory of 1992 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 1468 wrote to memory of 1992 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 1468 wrote to memory of 1992 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 1468 wrote to memory of 1992 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 1468 wrote to memory of 1992 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 1468 wrote to memory of 3624 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 84 PID 1468 wrote to memory of 3624 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 84 PID 1468 wrote to memory of 3624 1468 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 84 PID 3280 wrote to memory of 3012 3280 refsutil.exe 103 PID 3280 wrote to memory of 3012 3280 refsutil.exe 103 PID 3280 wrote to memory of 3012 3280 refsutil.exe 103 PID 3280 wrote to memory of 3012 3280 refsutil.exe 103 PID 3280 wrote to memory of 3012 3280 refsutil.exe 103 PID 3280 wrote to memory of 5020 3280 refsutil.exe 104 PID 3280 wrote to memory of 5020 3280 refsutil.exe 104 PID 3280 wrote to memory of 5020 3280 refsutil.exe 104 PID 4436 wrote to memory of 4824 4436 refsutil.exe 116 PID 4436 wrote to memory of 4824 4436 refsutil.exe 116 PID 4436 wrote to memory of 4824 4436 refsutil.exe 116 PID 4436 wrote to memory of 4824 4436 refsutil.exe 116 PID 4436 wrote to memory of 4824 4436 refsutil.exe 116 PID 4436 wrote to memory of 4960 4436 refsutil.exe 117 PID 4436 wrote to memory of 4960 4436 refsutil.exe 117 PID 4436 wrote to memory of 4960 4436 refsutil.exe 117 PID 1764 wrote to memory of 4636 1764 refsutil.exe 120 PID 1764 wrote to memory of 4636 1764 refsutil.exe 120 PID 1764 wrote to memory of 4636 1764 refsutil.exe 120 PID 1764 wrote to memory of 4636 1764 refsutil.exe 120 PID 1764 wrote to memory of 4636 1764 refsutil.exe 120 PID 1764 wrote to memory of 4268 1764 refsutil.exe 121 PID 1764 wrote to memory of 4268 1764 refsutil.exe 121 PID 1764 wrote to memory of 4268 1764 refsutil.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe"C:\Users\Admin\AppData\Local\Temp\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3624
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5024
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5020
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4824
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4960
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4636
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5c0ed926cd0e608944ad99322aaedb97a
SHA1007e5bc9d8650a46f48f75045034702c24be39c5
SHA256eb035294fbea39baa6e6c65cb7e06451987c51c5536586f23de5dc7f91096943
SHA51283891a4984208720a224937101313759ffec75f5ebb2225c30555e5a28c7cc753162d802b176694ecc7404e2723f75d86d313adb835d4ec826ac13ff24cce42a
-
Filesize
803KB
MD5d9fa547570dda4beb3a7aae54d2eea06
SHA1099164d4ce81b31fe371c43334ddc242bb4fea20
SHA25634291f762c3189a662d5c4124f68e7b0487d120529000ee14aec1f565d93699d
SHA51293a7d954495efc2081c093d30c89afab242c67ecc8ce2f822102ef7013f0158a076032f48d23882bf63e4502b40937b0f331a0634143efa38caa2cf06af2441d