Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/07/2024, 22:59

240703-2yn7wszhlp 10

03/07/2024, 16:13

240703-tn93lsyglf 10

03/07/2024, 16:11

240703-tm84xsyfma 10

10/05/2024, 16:25

240510-tw1h5shh47 10

24/08/2023, 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    338s
  • max time network
    357s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22/11/2020, 06:42

Errors

Reason
Machine shutdown

General

  • Target

  • Size

    860KB

  • MD5

    b3dce5c3f95a18fd076fad0f73bb9e39

  • SHA1

    e80cc285a77302ee221f47e4e94823d4b2eba368

  • SHA256

    df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

  • SHA512

    c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 162 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 12 IoCs
  • Checks SCSI registry key(s) 3 TTPs 96 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 38 IoCs
  • Modifies registry class 80 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 85 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3584
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Modifies service
      PID:1356
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 958F453F5CD7BB22FCB417A0B4F21B93 E Global\MSI0000
      2⤵
      • Modifies WinLogon for persistence
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
        3⤵
        • Modifies registry class
        PID:1584
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
        3⤵
        • Modifies registry class
        PID:2332
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
        3⤵
        • Modifies registry class
        PID:3808
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f
        3⤵
        • Modifies registry class
        PID:3876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"
        3⤵
          PID:2800
        • C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
          "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"
          3⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
            "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3960
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c shutdown -r -t 0
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\SysWOW64\shutdown.exe
                shutdown -r -t 0
                6⤵
                  PID:904
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:3684
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:640
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d
        1⤵
        • Modifies WinLogon to allow AutoLogon
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:428

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/736-2-0x00000248135D0000-0x00000248135D8000-memory.dmp

        Filesize

        32KB

      • memory/3584-11-0x0000020272560000-0x0000020272564000-memory.dmp

        Filesize

        16KB