Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/07/2024, 22:59

240703-2yn7wszhlp 10

03/07/2024, 16:13

240703-tn93lsyglf 10

03/07/2024, 16:11

240703-tm84xsyfma 10

10/05/2024, 16:25

240510-tw1h5shh47 10

24/08/2023, 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    21s
  • max time network
    53s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22/11/2020, 06:42

Errors

Reason
Machine shutdown

General

  • Target

  • Size

    6.7MB

  • MD5

    f2b7074e1543720a9a98fda660e02688

  • SHA1

    1029492c1a12789d8af78d54adcb921e24b9e5ca

  • SHA256

    4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

  • SHA512

    73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 94 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Enumerates connected drives
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3996
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' rename 'UR NEXT'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3108-16-0x000000000BC60000-0x000000000BC70000-memory.dmp

    Filesize

    64KB

  • memory/3108-0-0x00000000739A0000-0x000000007408E000-memory.dmp

    Filesize

    6.9MB

  • memory/3108-11-0x000000000AD80000-0x000000000AD90000-memory.dmp

    Filesize

    64KB

  • memory/3108-12-0x000000000AD80000-0x000000000AD90000-memory.dmp

    Filesize

    64KB

  • memory/3108-14-0x000000000AD80000-0x000000000AD90000-memory.dmp

    Filesize

    64KB

  • memory/3108-13-0x000000000AD80000-0x000000000AD90000-memory.dmp

    Filesize

    64KB

  • memory/3108-15-0x000000000BC60000-0x000000000BC70000-memory.dmp

    Filesize

    64KB

  • memory/3108-8-0x000000000AD90000-0x000000000AD91000-memory.dmp

    Filesize

    4KB

  • memory/3108-19-0x000000000BC60000-0x000000000BC70000-memory.dmp

    Filesize

    64KB

  • memory/3108-18-0x000000000AD80000-0x000000000AD90000-memory.dmp

    Filesize

    64KB

  • memory/3108-17-0x000000000AD80000-0x000000000AD90000-memory.dmp

    Filesize

    64KB

  • memory/3108-1-0x0000000000B70000-0x0000000000B71000-memory.dmp

    Filesize

    4KB

  • memory/3108-3-0x0000000006000000-0x0000000006001000-memory.dmp

    Filesize

    4KB