Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2025, 19:22
Behavioral task
behavioral1
Sample
3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe
Resource
win7-20240903-en
General
-
Target
3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe
-
Size
803KB
-
MD5
bcfc0f409a85ca08b9cc4aadc642d2db
-
SHA1
158934868163c72c134eb2e4f91da0bc6adc8a7c
-
SHA256
3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85
-
SHA512
e14bf36cd66c6cfa2e94c84d6e3eb22c21e6152c8ad38ae2ebdcafef4a4ec2717c98ba939c86358f9f5602ddbf9a107f4b545eff4cf1de4b5bfecc371f4cbb1c
-
SSDEEP
24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIws:b2/P1UOtOKC6GrYsgxTQTIH
Malware Config
Signatures
-
Imminent family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation refsutil.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation refsutil.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation refsutil.exe -
Executes dropped EXE 3 IoCs
pid Process 2412 refsutil.exe 1452 refsutil.exe 1592 refsutil.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4304-12-0x0000000000330000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/2412-31-0x0000000000670000-0x00000000007F8000-memory.dmp autoit_exe behavioral2/memory/1452-41-0x0000000000670000-0x00000000007F8000-memory.dmp autoit_exe behavioral2/memory/1592-45-0x0000000000670000-0x00000000007F8000-memory.dmp autoit_exe behavioral2/memory/1592-51-0x0000000000670000-0x00000000007F8000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4304 set thread context of 3448 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 87 PID 2412 set thread context of 4952 2412 refsutil.exe 99 PID 1452 set thread context of 3268 1452 refsutil.exe 105 PID 1592 set thread context of 2496 1592 refsutil.exe 109 -
resource yara_rule behavioral2/memory/4304-0-0x0000000000330000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4304-12-0x0000000000330000-0x00000000004B8000-memory.dmp upx behavioral2/files/0x0008000000024123-23.dat upx behavioral2/memory/2412-24-0x0000000000670000-0x00000000007F8000-memory.dmp upx behavioral2/memory/2412-31-0x0000000000670000-0x00000000007F8000-memory.dmp upx behavioral2/memory/1452-41-0x0000000000670000-0x00000000007F8000-memory.dmp upx behavioral2/memory/1592-45-0x0000000000670000-0x00000000007F8000-memory.dmp upx behavioral2/memory/1592-51-0x0000000000670000-0x00000000007F8000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language refsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4588 schtasks.exe 1584 schtasks.exe 3676 schtasks.exe 3048 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3448 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3448 RegAsm.exe Token: 33 3448 RegAsm.exe Token: SeIncBasePriorityPrivilege 3448 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3448 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4304 wrote to memory of 3448 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 87 PID 4304 wrote to memory of 3448 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 87 PID 4304 wrote to memory of 3448 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 87 PID 4304 wrote to memory of 3448 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 87 PID 4304 wrote to memory of 3448 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 87 PID 4304 wrote to memory of 4588 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 89 PID 4304 wrote to memory of 4588 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 89 PID 4304 wrote to memory of 4588 4304 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe 89 PID 2412 wrote to memory of 4952 2412 refsutil.exe 99 PID 2412 wrote to memory of 4952 2412 refsutil.exe 99 PID 2412 wrote to memory of 4952 2412 refsutil.exe 99 PID 2412 wrote to memory of 4952 2412 refsutil.exe 99 PID 2412 wrote to memory of 4952 2412 refsutil.exe 99 PID 2412 wrote to memory of 1584 2412 refsutil.exe 100 PID 2412 wrote to memory of 1584 2412 refsutil.exe 100 PID 2412 wrote to memory of 1584 2412 refsutil.exe 100 PID 1452 wrote to memory of 3268 1452 refsutil.exe 105 PID 1452 wrote to memory of 3268 1452 refsutil.exe 105 PID 1452 wrote to memory of 3268 1452 refsutil.exe 105 PID 1452 wrote to memory of 3268 1452 refsutil.exe 105 PID 1452 wrote to memory of 3268 1452 refsutil.exe 105 PID 1452 wrote to memory of 3676 1452 refsutil.exe 106 PID 1452 wrote to memory of 3676 1452 refsutil.exe 106 PID 1452 wrote to memory of 3676 1452 refsutil.exe 106 PID 1592 wrote to memory of 2496 1592 refsutil.exe 109 PID 1592 wrote to memory of 2496 1592 refsutil.exe 109 PID 1592 wrote to memory of 2496 1592 refsutil.exe 109 PID 1592 wrote to memory of 2496 1592 refsutil.exe 109 PID 1592 wrote to memory of 2496 1592 refsutil.exe 109 PID 1592 wrote to memory of 3048 1592 refsutil.exe 110 PID 1592 wrote to memory of 3048 1592 refsutil.exe 110 PID 1592 wrote to memory of 3048 1592 refsutil.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe"C:\Users\Admin\AppData\Local\Temp\3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3448
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4588
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4928
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4952
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1584
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3268
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3676
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD59f820925345c93c05f6ebb7c6d4c9987
SHA15943bc396e606425241bf1a87e255e105305e5c9
SHA256d30df126f03b0cf5332576c71233f00e205694c85746a84bc179a132059e50a3
SHA512a7268b1792a96e1bdddb537b725c36a98ace638611789527ed0a7467db6330457f9c9c77027b3879536239d8793788d4a2d752aa9d89562228493fe11cf37a33
-
Filesize
803KB
MD5be6b354c0cb65ace3fde0c7f92884157
SHA1a6e06e32316ec9bce641568e7b7ef1642fa19abe
SHA25676588615d5fcdd509e65e78295d919dcfa3a7470fa7fc8444734771460d0b55f
SHA51295623f03cac652fb53ba73e5c04b6266ef2c3ae705858fbd120990d05d4e33d854fbfeac8bda01a76fa39cf1333f3a756bb70fbcef032e48b18c5ef73e9f4b81