Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 18:54

General

  • Target

    f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe

  • Size

    283KB

  • MD5

    63fe64c62437e3c58b49c0524275dacc

  • SHA1

    30a0e544b79c11bb6a62bb0cfba9b0645dfff7ed

  • SHA256

    f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2

  • SHA512

    abc9039671148cdc7a2593134feb3e80d0b026292707cd3aa95ce46bca8c95d06fc96e1b42dbf99e0884ee1d377940c6eb1d181ac00c8ac16d8dc5a1fc2fb230

  • SSDEEP

    6144:w7vXDRS0wfOxqpBW8gto5ZsdZjJMQcYWqz9t/Qs/FvN5c1:ivdS9OxqpBDgOAZV11n9trvN5

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe
    "C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe
      C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe startC:\Users\Admin\AppData\Roaming\53CD5\5D2AE.exe%C:\Users\Admin\AppData\Roaming\53CD5
      2⤵
        PID:4236
      • C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe
        C:\Users\Admin\AppData\Local\Temp\f1cf96c3d2f53053d6a4db5b3171fdd9a2651e114b5056f8ea8853e0ad91aef2.exe startC:\Program Files (x86)\D50C6\lvvm.exe%C:\Program Files (x86)\D50C6
        2⤵
          PID:5016
        • C:\Program Files (x86)\LP\AEB5\44AA.tmp
          "C:\Program Files (x86)\LP\AEB5\44AA.tmp"
          2⤵
          • Executes dropped EXE
          PID:3156
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4416
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3376
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2152

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\AEB5\44AA.tmp

        Filesize

        100KB

        MD5

        f845b0df3da3f24c382cd3031c1c9e3b

        SHA1

        0607975a1d3aa4ad8997946a69c907e4f7bcd636

        SHA256

        53dbfb4a4aca0f7b2fe0d1e46579f0f1e28bf0095c1418101e1ea70c3509581a

        SHA512

        bf44d1d6ede8b520f67b47939d422f7272998a9d5bd67ac7fc5ebd44c6971769a3cd83f9cfa15465b42fd8becef5751bc858d642f5e2b1ac36f337a95e9cbb43

      • C:\Program Files (x86)\LP\AEB5\44AA.tmp

        Filesize

        100KB

        MD5

        f845b0df3da3f24c382cd3031c1c9e3b

        SHA1

        0607975a1d3aa4ad8997946a69c907e4f7bcd636

        SHA256

        53dbfb4a4aca0f7b2fe0d1e46579f0f1e28bf0095c1418101e1ea70c3509581a

        SHA512

        bf44d1d6ede8b520f67b47939d422f7272998a9d5bd67ac7fc5ebd44c6971769a3cd83f9cfa15465b42fd8becef5751bc858d642f5e2b1ac36f337a95e9cbb43

      • memory/2152-166-0x0000027EBF160000-0x0000027EBF180000-memory.dmp

        Filesize

        128KB

      • memory/2152-163-0x0000027ECF1C0000-0x0000027ECF2C0000-memory.dmp

        Filesize

        1024KB

      • memory/2152-160-0x0000027EBB780000-0x0000027EBB7A0000-memory.dmp

        Filesize

        128KB

      • memory/2152-158-0x0000027EBBB90000-0x0000027EBBB98000-memory.dmp

        Filesize

        32KB

      • memory/2152-157-0x0000027EBBA80000-0x0000027EBBAA0000-memory.dmp

        Filesize

        128KB

      • memory/3156-145-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/3156-149-0x0000000000792000-0x00000000007A0000-memory.dmp

        Filesize

        56KB

      • memory/3156-148-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/3156-146-0x0000000000792000-0x00000000007A0000-memory.dmp

        Filesize

        56KB

      • memory/4236-142-0x0000000000769000-0x00000000007AC000-memory.dmp

        Filesize

        268KB

      • memory/4236-147-0x0000000000769000-0x00000000007AC000-memory.dmp

        Filesize

        268KB

      • memory/4236-137-0x0000000000769000-0x00000000007AC000-memory.dmp

        Filesize

        268KB

      • memory/4236-136-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/4772-132-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/4772-134-0x0000000000583000-0x00000000005C6000-memory.dmp

        Filesize

        268KB

      • memory/4772-133-0x0000000000583000-0x00000000005C6000-memory.dmp

        Filesize

        268KB

      • memory/5016-144-0x0000000000768000-0x00000000007AB000-memory.dmp

        Filesize

        268KB

      • memory/5016-143-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB