Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

Endermanch...ws.exe

windows10-1703-x64

6

Resubmissions

24/11/2023, 00:09

231124-aflv9see3x 6

23/11/2023, 23:51

231123-3wgkpsed3v 8

Analysis

  • max time kernel
    2036s
  • max time network
    2049s
  • platform
    windows10-1703_x64
  • resource
    win10-20231025-en
  • resource tags

    arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24/11/2023, 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    4.4MB

  • MD5

    6a4853cd0584dc90067e15afb43c4962

  • SHA1

    ae59bbb123e98dc8379d08887f83d7e52b1b47fc

  • SHA256

    ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

  • SHA512

    feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

  • SSDEEP

    98304:XyDt6K4MJVnjOobt/JN1LA5elHc+S4fRp5UvluKo:XyDtK8bbxn+IHcBEV/F

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 38 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2732
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x240
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4592
  • C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe
    "C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca
    1⤵
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    PID:1144
  • C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe
    "C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe" -ServerName:SkypeHost.ServerServer
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    PID:1832
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\system32\mountvol.exe
      mountvol c: /d
      2⤵
        PID:1576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      256KB

      MD5

      425226fcb310662c292a014bf7624408

      SHA1

      3c8b01eda95f3551644e0b8d8586b76d3011176a

      SHA256

      4e230c8ec4723368007fc968b919379125aea41a284768f522f191ff7a1fae19

      SHA512

      2f2934f9a4c681fa112fb8a510e2f91a25e96bc4695f1b675b63414544579b27d4d44731c3e4d73043956ea434114d00d2a8859445ad1b4eda9f1f6be181e26c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\chilledwindows.mp4
      Filesize

      3.6MB

      MD5

      698ddcaec1edcf1245807627884edf9c

      SHA1

      c7fcbeaa2aadffaf807c096c51fb14c47003ac20

      SHA256

      cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

      SHA512

      a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

      Download Submit

    • memory/2732-0-0x00000000008F0000-0x0000000000D54000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2732-1-0x00007FF972940000-0x00007FF97332C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2732-2-0x000000001BB40000-0x000000001BB50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2732-3-0x000000001BB40000-0x000000001BB50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2732-14-0x000000001BB40000-0x000000001BB50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2732-16-0x000000001C100000-0x000000001C108000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2732-17-0x000000001BB40000-0x000000001BB50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2732-18-0x000000001C320000-0x000000001C358000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2732-51-0x00007FF972940000-0x00007FF97332C000-memory.dmp

      Filesize

      9.9MB

      Download