Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 19:33
Behavioral task
behavioral1
Sample
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
Resource
win7-20240903-en
General
-
Target
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
-
Size
803KB
-
MD5
4d70c4f7594371493e4372f4c5cc2c49
-
SHA1
019f726fc46d6ce1a73cd87a46e2d565bf8271eb
-
SHA256
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f
-
SHA512
685661f913b2d348929de9981575d343bee7a0c9beb152df09f24fb44d8260b787815fa13039a08059daf2073f898f6f51459141589689dab45fe52851ab1934
-
SSDEEP
24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIwE:b2/P1UOtOKC6GrYsgxTQTID
Malware Config
Signatures
-
Imminent family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation refsutil.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation refsutil.exe -
Executes dropped EXE 2 IoCs
pid Process 2256 refsutil.exe 2592 refsutil.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3672-12-0x0000000000FE0000-0x0000000001168000-memory.dmp autoit_exe behavioral2/memory/2256-32-0x00000000008A0000-0x0000000000A28000-memory.dmp autoit_exe behavioral2/memory/2592-41-0x00000000008A0000-0x0000000000A28000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3672 set thread context of 3872 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 2256 set thread context of 2044 2256 refsutil.exe 113 PID 2592 set thread context of 3596 2592 refsutil.exe 117 -
resource yara_rule behavioral2/memory/3672-0-0x0000000000FE0000-0x0000000001168000-memory.dmp upx behavioral2/memory/3672-12-0x0000000000FE0000-0x0000000001168000-memory.dmp upx behavioral2/files/0x0008000000023c8e-23.dat upx behavioral2/memory/2256-24-0x00000000008A0000-0x0000000000A28000-memory.dmp upx behavioral2/memory/2256-32-0x00000000008A0000-0x0000000000A28000-memory.dmp upx behavioral2/memory/2592-41-0x00000000008A0000-0x0000000000A28000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4996 schtasks.exe 3096 schtasks.exe 1304 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3872 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3872 RegAsm.exe Token: 33 3872 RegAsm.exe Token: SeIncBasePriorityPrivilege 3872 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3872 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3672 wrote to memory of 3872 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 3672 wrote to memory of 3872 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 3672 wrote to memory of 3872 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 3672 wrote to memory of 3872 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 3672 wrote to memory of 3872 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 83 PID 3672 wrote to memory of 4996 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 84 PID 3672 wrote to memory of 4996 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 84 PID 3672 wrote to memory of 4996 3672 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe 84 PID 2256 wrote to memory of 2044 2256 refsutil.exe 113 PID 2256 wrote to memory of 2044 2256 refsutil.exe 113 PID 2256 wrote to memory of 2044 2256 refsutil.exe 113 PID 2256 wrote to memory of 2044 2256 refsutil.exe 113 PID 2256 wrote to memory of 2044 2256 refsutil.exe 113 PID 2256 wrote to memory of 3096 2256 refsutil.exe 114 PID 2256 wrote to memory of 3096 2256 refsutil.exe 114 PID 2256 wrote to memory of 3096 2256 refsutil.exe 114 PID 2592 wrote to memory of 3596 2592 refsutil.exe 117 PID 2592 wrote to memory of 3596 2592 refsutil.exe 117 PID 2592 wrote to memory of 3596 2592 refsutil.exe 117 PID 2592 wrote to memory of 3596 2592 refsutil.exe 117 PID 2592 wrote to memory of 3596 2592 refsutil.exe 117 PID 2592 wrote to memory of 1304 2592 refsutil.exe 118 PID 2592 wrote to memory of 1304 2592 refsutil.exe 118 PID 2592 wrote to memory of 1304 2592 refsutil.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe"C:\Users\Admin\AppData\Local\Temp\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4996
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4960
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3096
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5c0ed926cd0e608944ad99322aaedb97a
SHA1007e5bc9d8650a46f48f75045034702c24be39c5
SHA256eb035294fbea39baa6e6c65cb7e06451987c51c5536586f23de5dc7f91096943
SHA51283891a4984208720a224937101313759ffec75f5ebb2225c30555e5a28c7cc753162d802b176694ecc7404e2723f75d86d313adb835d4ec826ac13ff24cce42a
-
Filesize
803KB
MD50e63bd85c26c454cd5b7a7fe8782cab6
SHA1d9ce85bf4668c05586af1d026516d8f4b623c865
SHA256231b1dc5be792b76526d9eabf19f48ceafeb79459e4a4523dd882898e065a251
SHA512c0643beaee00fde20e62dc33fad7675a934663cd96e6150285fd9fddb0697410b483c5a7c223208f06a5272f9356ff543f861efba34cb613e13c99f1da7fdff0