Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Mirus Pack...er.exe

windows7-x64

5

Mirus Pack...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2023, 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mirus Packaging GmbH Purchase Order.exe

  • Size

    539KB

  • MD5

    e4f27611074ee2528b4ec94d42ff3086

  • SHA1

    3a1116d1bf470552bef7646db02fbd8a4d53b308

  • SHA256

    276a229b8dc54203f9009eb1d2f50d391e16ed1831463687627fe89174a4ef9a

  • SHA512

    9d126fa3a5b1005c08c295b1b258b427d568f3a083a94e0196cb4c4aacbd5aeda89c725311bbcb9001321f939d8fd39f3074eb6d3a66d29fa7902091d4d36e7c

  • SSDEEP

    12288:s6X4yNCV8mmAyt62hPslW3EIPdUd6J83FUSBsIL:/XCVnmQueW31d4b11BXL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mirus Packaging GmbH Purchase Order.exe
    "C:\Users\Admin\AppData\Local\Temp\Mirus Packaging GmbH Purchase Order.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VcmPCaf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1264
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VcmPCaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18F6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1612
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4940

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2tdriq5.xmz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp18F6.tmp
    Filesize

    1KB

    MD5

    4f4ca2a83d6cf83349bb432eb26982f2

    SHA1

    79ddb71d0feda0216bc6a5de9492d0024f065120

    SHA256

    4504c30bb220db311141ec3b18cb27252ec93eeb0e348c58a4ccb70396ae8808

    SHA512

    d169ecffc3b35404a826ac8e6c118fbd028f008fa560a5cc741dd2321b45589dbb2b5de91bb20c13b48563dd8ee289adf32a4a3734cbe2fd65ee41a493e1ff7c

    Download Submit

  • memory/1264-162-0x0000000002D30000-0x0000000002D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-179-0x0000000007F80000-0x00000000085FA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1264-186-0x0000000007C50000-0x0000000007C58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1264-185-0x0000000007C70000-0x0000000007C8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1264-184-0x0000000007B60000-0x0000000007B6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1264-144-0x0000000002D40000-0x0000000002D76000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1264-183-0x0000000007BB0000-0x0000000007C46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1264-146-0x0000000005910000-0x0000000005F38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1264-182-0x000000007EE50000-0x000000007EE60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-149-0x0000000005570000-0x0000000005592000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1264-150-0x0000000005840000-0x00000000058A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1264-151-0x0000000006040000-0x00000000060A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1264-181-0x00000000079A0000-0x00000000079AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1264-157-0x0000000002D30000-0x0000000002D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-180-0x0000000007930000-0x000000000794A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1264-164-0x0000000006630000-0x000000000664E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1264-166-0x0000000002D30000-0x0000000002D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-178-0x0000000006BC0000-0x0000000006BDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1264-168-0x0000000071180000-0x00000000711CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1264-167-0x0000000007610000-0x0000000007642000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4940-163-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4940-165-0x00000000018D0000-0x0000000001C1A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4940-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4940-189-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5036-133-0x0000000000C80000-0x0000000000D0E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/5036-136-0x0000000005780000-0x000000000578A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5036-134-0x0000000005B90000-0x0000000006134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5036-135-0x00000000056C0000-0x0000000005752000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5036-139-0x000000000AA00000-0x000000000AA9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5036-138-0x0000000005820000-0x0000000005830000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5036-137-0x0000000005820000-0x0000000005830000-memory.dmp

    Filesize

    64KB

    Download