Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2025, 01:30

General

  • Target

    463ad2da20192ee0a568369e8354e0a9.exe

  • Size

    37KB

  • MD5

    463ad2da20192ee0a568369e8354e0a9

  • SHA1

    9feda940aad6e8b5bfad480b1cf74f8b9786e633

  • SHA256

    0a270dcc76e568fe80935cd18959ad43764d04ad0bb33d8ed9bfa951631ab0fa

  • SHA512

    69b9694b9b54463a361705d2e626cba2c89a89fb507bcfffdfb090d214d8aaac3cd8354dae5c5e7701859f8c9e36010601d8a4b077bb15b763a189de44c51b7f

  • SSDEEP

    768:2DrXsKADtOHiR4akrQQQNNYyrM+rMRa8NuGPVt:2DretVS8QQNOt+gRJNZP

Malware Config

Signatures

  • Downloads MZ/PE file 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\463ad2da20192ee0a568369e8354e0a9.exe
    "C:\Users\Admin\AppData\Local\Temp\463ad2da20192ee0a568369e8354e0a9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\WindowsSecurityUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsSecurityUpdate.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsSecurityUpdate.exe" "WindowsSecurityUpdate.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1936
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDBFREQzMDktNUQ1RC00Qjg0LTgyRkQtMTU2Mzc1QTg1NEFDfSIgdXNlcmlkPSJ7REM2MTg5MkUtMjMyQy00RDA0LTlERjMtNzY5MzZDMzk2RDA5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUNGRkNCOEEtRUI3NS00NzIzLUI2Q0QtNDZBOTdCRjY0QUE1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU4MTM1MDYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WindowsSecurityUpdate.exe

    Filesize

    37KB

    MD5

    463ad2da20192ee0a568369e8354e0a9

    SHA1

    9feda940aad6e8b5bfad480b1cf74f8b9786e633

    SHA256

    0a270dcc76e568fe80935cd18959ad43764d04ad0bb33d8ed9bfa951631ab0fa

    SHA512

    69b9694b9b54463a361705d2e626cba2c89a89fb507bcfffdfb090d214d8aaac3cd8354dae5c5e7701859f8c9e36010601d8a4b077bb15b763a189de44c51b7f

  • memory/220-14-0x00000000747F0000-0x0000000074DA1000-memory.dmp

    Filesize

    5.7MB

  • memory/220-13-0x00000000747F0000-0x0000000074DA1000-memory.dmp

    Filesize

    5.7MB

  • memory/220-16-0x00000000747F0000-0x0000000074DA1000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-0-0x00000000747F2000-0x00000000747F3000-memory.dmp

    Filesize

    4KB

  • memory/3012-1-0x00000000747F0000-0x0000000074DA1000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-2-0x00000000747F0000-0x0000000074DA1000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-12-0x00000000747F0000-0x0000000074DA1000-memory.dmp

    Filesize

    5.7MB