Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

USBFactory...up.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    51s
  • max time network
    20s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/01/2024, 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    USBFactoryResetToolSetup.exe

  • Size

    945KB

  • MD5

    e33b58158208b3bb0bb713afc148968f

  • SHA1

    5b4403b076d6bf6fa0d2a1571fd8f9c1bddbc2ac

  • SHA256

    7350594f8f7e392e6c4f0acadb2820bc75d75acd263afbdcd4ddaa01577d5314

  • SHA512

    d13c204eb3b8af785f0f1b80e2f56a5df85e4737153fb506cfbe1e1d47bcb3f83d83a3f995ae75558b30bd068b133de5b2dd85aa73bb6710b9a1f6101c5b1583

  • SSDEEP

    24576:5na1awWBK9c7VTuU7hypJmxfUz3d0kIVGQJxkTC:5a+BK9qTH2i8z3dM1

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\USBFactoryResetToolSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\USBFactoryResetToolSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Users\Admin\AppData\Local\Temp\is-I129L.tmp\USBFactoryResetToolSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-I129L.tmp\USBFactoryResetToolSetup.tmp" /SL5="$700CE,726046,54272,C:\Users\Admin\AppData\Local\Temp\USBFactoryResetToolSetup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Program Files\USB Drive Factory Reset Tool\USBResetTool.exe
        "C:\Program Files\USB Drive Factory Reset Tool\USBResetTool.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of AdjustPrivilegeToken
        PID:4468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\USB Drive Factory Reset Tool\USBResetTool.exe
    Filesize

    184KB

    MD5

    6c0e5e0a9a3863c1f1f418d464d58c41

    SHA1

    1ab182e17c14ded245a000b2012682d3239b7546

    SHA256

    1e38a87ce030891dc2af62cd787482e2848a693e7ff24134c69c9c45df2ef369

    SHA512

    602057867ebae1e1f9e3447077b93aa5f47d0ae9e6d163d8c542b350b0a791cb7f77b9c6d913563493b11ca2d4a5ca2bc732864585f9567ecac44da6121380dd

    Download Submit

  • C:\Program Files\USB Drive Factory Reset Tool\USBResetTool.exe
    Filesize

    516KB

    MD5

    295569daae2741c050a50f73ec59c3da

    SHA1

    3b0eed89f1551c3ae38f9eab12215e3476967e01

    SHA256

    2e740cd3dccf76b63a014de78f2e9c4add1dcc457f76ae0ee86f413aa5099ff7

    SHA512

    585224afd9e7046b0f118b7f644848186cefdaef7451aae15154d013488277d509bc108eb08bc27d4f161121b9a8f0a9c3e30cde7cf05eb1c7a7ff03845592b5

    Download Submit

  • C:\Program Files\USB Drive Factory Reset Tool\USBResetTool.exe
    Filesize

    430KB

    MD5

    d250cb110cdff62e6c43bcebabe71eb4

    SHA1

    00110a6cdc65a070112e64557d740ff1db96f536

    SHA256

    e0d965bc9b6fda958c3afb4f33cd72760b85c189d3f9b87e98796dadd165409f

    SHA512

    788c7abe7596c2d5694ee3089f279d629fad51d30fa087d5b7de9d9af183d0976fdb7e99178d7450136a941f1955df460a53b05c523dd1f1755073883e0513a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-I129L.tmp\USBFactoryResetToolSetup.tmp
    Filesize

    688KB

    MD5

    67c5a4f36e1c91a3b85e440edd7ad026

    SHA1

    e49ea0e558ed682498cc61b3070e4c402fbf0912

    SHA256

    99c299d6565ab53d9af66e0146737dc0ecfbc52ecf4740825b552db0cc4210c6

    SHA512

    40522d4645ece0db9888ea40d1a11356aa5efc191184a0b97cb54a6c243532b1fc306e9095bbfa1f5dc02c8e52b709650230d1383532136e56caea3dc19a973e

    Download Submit

  • memory/2636-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-39-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2636-13-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2636-32-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2636-33-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-37-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-40-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-41-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4468-44-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/5108-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5108-12-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download