Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

URLScan

urlscan

https://github.com/N...

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2023, 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/NETFrameWorkv4/v4.8/blob/main/NETFramework48.zip

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/NETFrameWorkv4/v4.8/blob/main/NETFramework48.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4112
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2120
    • C:\Users\Admin\AppData\Local\Temp\Temp1_NETFramework48.zip\NETFramework48\install.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_NETFramework48.zip\NETFramework48\install.exe"
      1⤵
        PID:1420
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1420 -s 492
          2⤵
          • Program crash
          PID:2480
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 416 -p 1420 -ip 1420
        1⤵
          PID:2688
        • C:\Users\Admin\AppData\Local\Temp\Temp1_NETFramework48.zip\NETFramework48\install.exe
          "C:\Users\Admin\AppData\Local\Temp\Temp1_NETFramework48.zip\NETFramework48\install.exe"
          1⤵
            PID:4204
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 4204 -s 488
              2⤵
              • Program crash
              PID:224
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 520 -p 4204 -ip 4204
            1⤵
              PID:312

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              3fbb8ee33354096d9f116c557a402d14

              SHA1

              f75756c42d45d1047eb04fa54bd7702f5560df4b

              SHA256

              13e2696561dd0955e1d61f7e18166c8bd7a02faf1dbfe04e738b5d68cc2ca57e

              SHA512

              cc21e56f9278282b3c15964b5618d42bdfda83b245d7bf01d12550aabd69a9747d1deaa5a9a9830e6d6a47465f580e21e0a7621cf992b56244ad4bee8779c338

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              74873250950ba8f186395646b87c4a1d

              SHA1

              5d3e571ed9111b7061e8db62d4bd20456730932f

              SHA256

              f12c430888e9e57b3e069586be63f9152765f63a3d3936716d2b0c3a5f5f131a

              SHA512

              e041a27a6aa3c17bf01914ca6bee13076d565e3763d941a2de8a5c0e25cb12380ae4a9d6666f84e098cecebdb1cd0619e30bec31dc9ad00d3f6d6cbb4c4e8f67

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat
              Filesize

              1KB

              MD5

              e0d31bc9f31a5958e683f27eba8630f5

              SHA1

              e566f6a01c313053a56d83cf1b4b6bf2f0a7bc83

              SHA256

              a68d0cd6fe37c43389b322a5e5a15c4f2036d78e26481ad457dd2b756bfee09d

              SHA512

              3d38c11c54f326ed02cd5771a0f8034455666746bd47191b1b54379924e8902e1170f2920a39940d1ee70cf666e3e647ccaa2de2fedf28e669c13c6deb79448e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\NETFramework48[1].zip
              Filesize

              158KB

              MD5

              1f3b3644d836b79fe2b91f4b39e1eac8

              SHA1

              0806bbbd393803b46bf1d44b5d60c4ea643ae23b

              SHA256

              3f6c52d592eb9e4ec390a73279fec16b5e0fa1b11540b120ec21d82f717bfd56

              SHA512

              6e669930d4a964288514f192b15bcd9bf97e72cfd30ea86e8ea3f32b2b2969d41da08326915270fe8bf7e4ab2445ba2df20ee766cb766db08abc219d5f3c86da

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\NETFramework48.zip.ucsdc4c.partial
              Filesize

              158KB

              MD5

              1f3b3644d836b79fe2b91f4b39e1eac8

              SHA1

              0806bbbd393803b46bf1d44b5d60c4ea643ae23b

              SHA256

              3f6c52d592eb9e4ec390a73279fec16b5e0fa1b11540b120ec21d82f717bfd56

              SHA512

              6e669930d4a964288514f192b15bcd9bf97e72cfd30ea86e8ea3f32b2b2969d41da08326915270fe8bf7e4ab2445ba2df20ee766cb766db08abc219d5f3c86da

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\favicon[1].png
              Filesize

              958B

              MD5

              346e09471362f2907510a31812129cd2

              SHA1

              323b99430dd424604ae57a19a91f25376e209759

              SHA256

              74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

              SHA512

              a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

              Download Submit