Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bca3772529...45.exe
windows7-x64
10bca3772529...45.exe
windows10-2004-x64
10bccb34575f...72.exe
windows7-x64
10bccb34575f...72.exe
windows10-2004-x64
10bcf1af9a5a...be.exe
windows7-x64
10bcf1af9a5a...be.exe
windows10-2004-x64
8bcf783e363...97.exe
windows7-x64
3bcf783e363...97.exe
windows10-2004-x64
3bd515574dc...8c.exe
windows7-x64
1bd515574dc...8c.exe
windows10-2004-x64
1bd68ca7605...39.exe
windows7-x64
10bd68ca7605...39.exe
windows10-2004-x64
10bd707a0357...e3.exe
windows7-x64
9bd707a0357...e3.exe
windows10-2004-x64
9bd7edfedeb...0b.exe
windows7-x64
10bd7edfedeb...0b.exe
windows10-2004-x64
10bdad1ff46d...f2.exe
windows7-x64
10bdad1ff46d...f2.exe
windows10-2004-x64
10bdae9ff159...df.exe
windows7-x64
10bdae9ff159...df.exe
windows10-2004-x64
10be01d2552c...1c.exe
windows7-x64
10be01d2552c...1c.exe
windows10-2004-x64
10be077774c9...87.exe
windows7-x64
10be077774c9...87.exe
windows10-2004-x64
10be0a8aeb7e...56.exe
windows7-x64
3be0a8aeb7e...56.exe
windows10-2004-x64
3be1643898c...f5.exe
windows7-x64
7be1643898c...f5.exe
windows10-2004-x64
10be183db6d4...94.exe
windows7-x64
10be183db6d4...94.exe
windows10-2004-x64
10be2375e810...94.exe
windows7-x64
10be2375e810...94.exe
windows10-2004-x64
10Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:15
Behavioral task
behavioral1
Sample
bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
bccb34575fb2db34d4a29075cb2f9aa39904b7d5412695545f2240c00fbb0472.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
bccb34575fb2db34d4a29075cb2f9aa39904b7d5412695545f2240c00fbb0472.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
bcf1af9a5a93ae74ea1c79da9951c5be.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
bcf1af9a5a93ae74ea1c79da9951c5be.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
bcf783e363557f5bdd4014c159ae2497.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
bcf783e363557f5bdd4014c159ae2497.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
bd515574dc1cb379674710f110e907d8cd72a5e4c5eb90d464fbee847b71718c.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
bd515574dc1cb379674710f110e907d8cd72a5e4c5eb90d464fbee847b71718c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
bd707a0357b19ea6953d47900bb051e3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
bd707a0357b19ea6953d47900bb051e3.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral15
Sample
bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
bdad1ff46d46963cc687d5f6889c9ef2.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
bdad1ff46d46963cc687d5f6889c9ef2.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
bdae9ff15952ccdfec0be80562f1cbdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
bdae9ff15952ccdfec0be80562f1cbdf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
be0a8aeb7e1655bee6255bac9c2947ecef511b5f00e29933dfd9c7f39965bf56.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
be0a8aeb7e1655bee6255bac9c2947ecef511b5f00e29933dfd9c7f39965bf56.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
be1643898cf51a24e38e4044d24ae1f5.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
be1643898cf51a24e38e4044d24ae1f5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
be183db6d4b77c092496c69c3f389b94.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
be183db6d4b77c092496c69c3f389b94.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
be2375e810af4d76a0fc392d8acf2d1218cd2c21a6b8160be7f1f30ef7cf4694.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
be2375e810af4d76a0fc392d8acf2d1218cd2c21a6b8160be7f1f30ef7cf4694.exe
Resource
win10v2004-20250314-en
General
-
Target
be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
-
Size
15KB
-
MD5
7e352292c05b5bc088e3c3ee5bccf1eb
-
SHA1
c903fb44d344b22f619967babb655c6241e16f51
-
SHA256
be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787
-
SHA512
d614817b8690cb6735fb4edd54c40742d385b649e0a0a13b3c4987aed529446bec477e4ba0ead7d8f670ab776ec75cae48f017fed5c106fd4f6ecbf8e73bebd8
-
SSDEEP
384:589lZJy0rw6AsjAvYTk5yBZ9KqyX+B7UN:29ltw6AucYqG9KqyJ
Malware Config
Extracted
growtopia
https://discordapp.com/api/webhooks/730377507630743563/CTrQfMGpsjTTGCS5L_vCDbiyLqcVjXDI2n7WnjcxEmhX5IuwdHJQwjkb9te1VA7QLViH
https://discordapp.com/api/webhooks/731971810739879986/OpZic7KuzzPIt0T_lIHObsqHtrAD0WY9AzKT1vHjAK_rPz_Tg7O0QUz_n2R-fFNBWIkM
-
payload_url
https://cdn.discordapp.com/attachments/715259687049756713/724200009171468368/decoder.exe
Signatures
-
Growtopia family
-
UAC bypass 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe\"" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1660 2004 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2004 be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe"C:\Users\Admin\AppData\Local\Temp\be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 16882⤵
- Program crash
PID:1660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2004 -ip 20041⤵PID:5072
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3