Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/02/2025, 22:09
250207-12y1ts1qem 1017/01/2025, 14:58
250117-scb6rstjhj 1004/01/2025, 01:09
250104-bhsx2avqhp 10Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20250207-en -
resource tags
arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/02/2025, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
32de704ba040689746da0da9c8117b0529c5ebec617be63b401ade9c17d9fa07
Resource
win10v2004-20250207-en
Behavioral task
behavioral2
Sample
32de704ba040689746da0da9c8117b0529c5ebec617be63b401ade9c17d9fa07
Resource
win11-20250207-en
General
-
Target
32de704ba040689746da0da9c8117b0529c5ebec617be63b401ade9c17d9fa07
-
Size
19.7MB
-
MD5
ce82eb90ba675fafe474625727787b07
-
SHA1
2417c11c54c5cfc9cab83e24613bd2934bfc0142
-
SHA256
32de704ba040689746da0da9c8117b0529c5ebec617be63b401ade9c17d9fa07
-
SHA512
e600f011872ca9b45dff2fcc14400b099a23c5e490060ab5a95715ce56d0c03dcda3fe41458e0c77dd8838f360ea1f1811d089309aabd173a4c55bbbf3619af0
-
SSDEEP
196608:oBVcSNYEv4IGO3ogwCPfAtUD0WhxBCdMNSJ1tfSjYHSww:qt
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3183222884-3758288823-2808636388-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3183222884-3758288823-2808636388-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3183222884-3758288823-2808636388-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3183222884-3758288823-2808636388-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3183222884-3758288823-2808636388-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 748 MicrosoftEdgeUpdate.exe 748 MicrosoftEdgeUpdate.exe 748 MicrosoftEdgeUpdate.exe 748 MicrosoftEdgeUpdate.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3504 taskmgr.exe Token: SeSystemProfilePrivilege 3504 taskmgr.exe Token: SeCreateGlobalPrivilege 3504 taskmgr.exe Token: SeDebugPrivilege 748 MicrosoftEdgeUpdate.exe Token: 33 3504 taskmgr.exe Token: SeIncBasePriorityPrivilege 3504 taskmgr.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe 3504 taskmgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\32de704ba040689746da0da9c8117b0529c5ebec617be63b401ade9c17d9fa071⤵PID:5064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3280
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:2576
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:3548
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1272
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3504
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3e51fdc7-c7cf-47bf-9294-18d5f796d9ea.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3