Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
Resource
win10v2004-20230915-en
General
-
Target
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
-
Size
2.1MB
-
MD5
d73d71dc32505c87955f992091210f1a
-
SHA1
88d5e3fb2462b053b1161c8197168f2dafb63317
-
SHA256
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144
-
SHA512
231d27c1028c62920d67ae48d76b40e2591490b984cb69d706b1ec118cc6a7e367277f1704a84853bbe16ae9a42e1ce2ecd125f0a5e2019e207bcfe1defbe920
-
SSDEEP
49152:lbZWaaPLan9GY7Pjp8oNivM0iTnDJJZk425V/zaBM3Sbawwtlx:lH8Lan9hp8oNivMba4aBN3SbAx
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe -
Executes dropped EXE 1 IoCs
pid Process 1028 Powermonster.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine Powermonster.exe -
Loads dropped DLL 1 IoCs
pid Process 1028 Powermonster.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1028 Powermonster.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1028 Powermonster.exe 1028 Powermonster.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4416 wrote to memory of 1028 4416 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 83 PID 4416 wrote to memory of 1028 4416 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 83 PID 4416 wrote to memory of 1028 4416 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe"C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Public\Documents\Powermonster.exe"C:\Users\Public\Documents\Powermonster.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
922KB
MD522019e31ea6f7134c94358e9eb8516fe
SHA151673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA51220d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
-
Filesize
922KB
MD522019e31ea6f7134c94358e9eb8516fe
SHA151673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA51220d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4