Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    3s
  • max time network
    29s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2023, 07:10

General

  • Target

    9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe

  • Size

    2.1MB

  • MD5

    d73d71dc32505c87955f992091210f1a

  • SHA1

    88d5e3fb2462b053b1161c8197168f2dafb63317

  • SHA256

    9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144

  • SHA512

    231d27c1028c62920d67ae48d76b40e2591490b984cb69d706b1ec118cc6a7e367277f1704a84853bbe16ae9a42e1ce2ecd125f0a5e2019e207bcfe1defbe920

  • SSDEEP

    49152:lbZWaaPLan9GY7Pjp8oNivM0iTnDJJZk425V/zaBM3Sbawwtlx:lH8Lan9hp8oNivMba4aBN3SbAx

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
    "C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Public\Documents\Powermonster.exe
      "C:\Users\Public\Documents\Powermonster.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\Powermonster.exe

    Filesize

    2.5MB

    MD5

    842af33f5702fa99efd8f7b235f28fcc

    SHA1

    b841b71a4e39432f3a940ad841e74ea1686da6c9

    SHA256

    82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

    SHA512

    ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

  • C:\Users\Public\Documents\Powermonster.exe

    Filesize

    2.5MB

    MD5

    842af33f5702fa99efd8f7b235f28fcc

    SHA1

    b841b71a4e39432f3a940ad841e74ea1686da6c9

    SHA256

    82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

    SHA512

    ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

  • C:\Users\Public\Documents\libcurl.dll

    Filesize

    922KB

    MD5

    22019e31ea6f7134c94358e9eb8516fe

    SHA1

    51673f72f119b1fc391fcb8b0780c0077aac1e13

    SHA256

    291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7

    SHA512

    20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4

  • C:\Users\Public\Documents\libcurl.dll

    Filesize

    922KB

    MD5

    22019e31ea6f7134c94358e9eb8516fe

    SHA1

    51673f72f119b1fc391fcb8b0780c0077aac1e13

    SHA256

    291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7

    SHA512

    20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4

  • memory/1028-15-0x0000000010000000-0x0000000010209000-memory.dmp

    Filesize

    2.0MB

  • memory/1028-16-0x0000000002CE0000-0x0000000002D7D000-memory.dmp

    Filesize

    628KB