Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1438s
  • max time network
    1224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2023, 17:22

General

  • Target

    VapeV4.rar

  • Size

    4.1MB

  • MD5

    83a4bc3dfe68f77d745f700c79569cef

  • SHA1

    98c011f9a336f1cdaa1dc73df22bbee0eadfac75

  • SHA256

    3efe166a1f02b402f0401ed3f8886f40270afe04c5be1d40516f68e04fc5c0b9

  • SHA512

    9b914f237cdd996c7a8d37413987c157d684c0f559e37387bedca73ab6828cdad83a53bcdb1e5db199fb6663319cda46ebfb48e14625ce167bf0aedb06e56b38

  • SSDEEP

    98304:6iTMbKELrj/0uHCi9FuneXMuJiB4hifbWHGfLd0rRkP7bW76FBR:6WAHHN1cuJGfSHGRQOHU6R

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\VapeV4.rar
    1⤵
    • Modifies registry class
    PID:1728
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4704
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3612
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VapeV4.rar"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5108
    • C:\Users\Admin\Desktop\Vape\VapeV4 Launcher.exe
      "C:\Users\Admin\Desktop\Vape\VapeV4 Launcher.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1584

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

      Filesize

      28KB

      MD5

      b3cb3d099f436b83d82ce68de5572c04

      SHA1

      a3ba2b8e45d5158b82494d97dd5a900fafc3eb1a

      SHA256

      72ca161a40791a32da8b52ce4aa74aa86dfc2b5a957cbf49110fd54b4a016203

      SHA512

      34c1312b97bfeaf1c6d4b083a1c1c8f26ba662528c378a0ede5e80ad794b9b9e585b52dc3f3310dc8d99d5282a54fcf6825caf575ffbb3c89ce14fa58f792e76

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

      Filesize

      28KB

      MD5

      09e22a8689ae434ff78e88e09ddbd656

      SHA1

      ef1c0d30e4828a3889e0b64c19a5723c76168ec3

      SHA256

      43f08cf63eca3242c932555ce820058d9f1714d2d68e6451a7cac4cc05f6f835

      SHA512

      3f69500fa66f0f851c1dd85a720c42227951ac6a8817b77fedbf17a20f3139bf9fedf8c4a4e82a33a82cd0ce203e221687d3b692790bc87ab304cffe81b85941

    • C:\Users\Admin\Desktop\Vape\VapeV4 Launcher.exe

      Filesize

      243KB

      MD5

      9cabb2f914db9bebf03bc0fe232ed4da

      SHA1

      97f6d2c86009465813a1dbf47b3e25806af23cf7

      SHA256

      38e2d5ef7a11d7e083390109c9ceaec4723c66474f7e7e3fcfdf710251feafdd

      SHA512

      86e5f1d388f8e37cb78b5a8ec5d9a56ea44e42477a54de704bc14d3642d64d44fdf050b7bd1c50a11188ff51a2d1ede5d3b930e7f148aee5ee3233f3057ef252

    • C:\Users\Admin\Desktop\Vape\VapeV4 Launcher.exe

      Filesize

      243KB

      MD5

      9cabb2f914db9bebf03bc0fe232ed4da

      SHA1

      97f6d2c86009465813a1dbf47b3e25806af23cf7

      SHA256

      38e2d5ef7a11d7e083390109c9ceaec4723c66474f7e7e3fcfdf710251feafdd

      SHA512

      86e5f1d388f8e37cb78b5a8ec5d9a56ea44e42477a54de704bc14d3642d64d44fdf050b7bd1c50a11188ff51a2d1ede5d3b930e7f148aee5ee3233f3057ef252