Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Photo01 By...pj.scr

windows7-x64

10

Photo01 By...pj.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Photo01 By ‮‮‮‮gpj.scr

  • Size

    547KB

  • MD5

    dc5e556beac206f025de1c9f92d2e39b

  • SHA1

    c0820fed333a9bb3c800950e5d3f46b0ade731e0

  • SHA256

    560e31e0a9b21391f252a3096e2e0e495eb7c33a7548de1d71dea1a334536aee

  • SHA512

    4f34c33157fa78e7d068480962ad30116673a62fff7591b95d245e3cdc56e218cb6c8cc63ad1930d555a033ce810ba929c9040ebcc7df61099f673fbb8e6b621

  • SSDEEP

    12288:oXTxe8fUp6qreT2A+FY0u7qMg+RIGjFGKOyeRJatK:xpVLqg+KW5b3tK

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr
    "C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr
      "C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Updbsp01.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Updbsp01.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Updbsp01.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Updbsp01.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:3980
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4664
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1480
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1380
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YICsc.vbs"
      2⤵
        PID:1924
    • C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      1⤵
      • Modifies firewall policy service
      • Modifies registry key
      PID:4796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\YICsc.vbs
      Filesize

      399B

      MD5

      ce01be7699a958d0bc7ed4d3207b49d7

      SHA1

      006dd08cb31da33ab0f54baa30f8d28e34dd83de

      SHA256

      0c9b78079d5172366b8806bffcb293a7b42bf83850148e5509ebe566e01e585a

      SHA512

      7a0d92283cb9317bf99e14df7d8ae0eaa17af007177a231f974c95a924f67d2cd40600ffd051ef55eb6258720ebb8500b56e482d8e512b128eb184f2d0490c08

      Download Submit

    • memory/1532-6-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1532-3-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2348-1-0x0000000001140000-0x0000000001150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2348-0-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2348-2-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2348-17-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download