Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

efed9df5db...f.appx

windows7-x64

efed9df5db...f.appx

windows10-2004-x64

8

Resubmissions

17/01/2024, 18:54

240117-xkjyssdcf4 8

17/01/2024, 18:40

240117-xbebyscefm 8

Analysis

  • max time kernel
    329s
  • max time network
    330s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2024, 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f.appx

  • Size

    135.6MB

  • MD5

    e347a58cf88cc6f686207d30d2e3db65

  • SHA1

    8b24338138775079f8fdd85366fed7598a9f288d

  • SHA256

    efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f

  • SHA512

    d9347486a247e40f53b27270bca7afa29b428236be514d5261a19115226dc07de776c84fa6b0d0150f6e7d5d8bdfadba0da2d9ec9c6a5ca1d2a17943ebcadc43

  • SSDEEP

    3145728:YZXsiKRnMfIcYNVZiTeoVu1uX7rAUMg47zNO0SPo8Z1Z4wX1JfSbmbd3d:Y9ontcyVZiamAuLX947xOj1Z4wlQbw

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start shell:AppsFolder\Midjourney.Midjourney_jqzvp2n7sb70p!VCredist.x86.exe
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1596
  • C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\AI_STUBS\AiStubX86.exe
    "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\AI_STUBS\AiStubX86.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\xcopy.exe
      "xcopy.exe" "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VFS\AppData" "C:\Users\Admin\AppData\Local\Packages\Midjourney.Midjourney_jqzvp2n7sb70p\LocalCache\Roaming" /e /s /y /c /h /q /i /k
      2⤵
      • Enumerates system info in registry
      PID:1400
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\refresh.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\refresh.ps1"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:64
    • C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VC_redist.x86.exe
      "VC_redist.x86.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\Temp\{1B830B56-95E2-4920-A758-F6A42283D57D}\.cr\VC_redist.x86.exe
        "C:\Windows\Temp\{1B830B56-95E2-4920-A758-F6A42283D57D}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        PID:3440
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    fb3a0d342872428ed033b00dc7b891e5

    SHA1

    75022ab053014c7a1af3c8e505e8431d8b8278dc

    SHA256

    34580f87013f2853598b4a06173200f62b9a3b7498f61d371389624ef2bd93c4

    SHA512

    a8fe21209d814147ff66f339b06788abc4f8a3a638900611393ce022f94791043059965a0679d529c4bfb31736553b0fa87f87467033a445509aecb424851ecc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    b7613a841ed03f298491ae15e781cbe6

    SHA1

    867745037d3dbec62e55adbfcae54819e0c5cf5b

    SHA256

    e6206cec8e25232343422e9cb0c57b87361399bfd7b62b9ed681cb4e320d2583

    SHA512

    49cfbee78a5c68ed07afe0253e748301cc13207a5347845c01437ff9337d156218c24142640f06331610c24760660dcd0886f331ec280cd19b2d4aac9503fcf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_spvn0jza.avc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Temp\{1B830B56-95E2-4920-A758-F6A42283D57D}\.cr\VC_redist.x86.exe
    Filesize

    170KB

    MD5

    079e8e8c50e379c9cdedbb6d5834a73c

    SHA1

    68a4d69ddeb5ebd1e0ca5f8c5db7f7400838af9a

    SHA256

    fb71f1cf65c594f95383a809fe3bd54760083cb0f097be3b511718f8d88746de

    SHA512

    617d86ef7cfc9b7ba2f895e496bdc60e15530a4c32bd1c6a6fabc7b9459074544358b1da62587ace93bf944bcbea31924b37543e56bc6ec9370c802004b615c6

    Download Submit

  • C:\Windows\Temp\{1B830B56-95E2-4920-A758-F6A42283D57D}\.cr\VC_redist.x86.exe
    Filesize

    101KB

    MD5

    4ca5ceed14d34ac8153104ca19c8ea8d

    SHA1

    d7d63e1441c930e3401e0695c57c06a3ecf82464

    SHA256

    3ca2dfa10f40f115414455ad2138c1d4e69afff31b6efab06a6812433a034bc5

    SHA512

    b2dc9edfa7de4179119d55a4337858aebb3375f9e7276ff07f56d9a35083a82d3a79676f77b41c4dae1de42f6d99a8f22608ab849ae4b45c753b934141d3d001

    Download Submit

  • C:\Windows\Temp\{2A1D936D-5A70-4294-B2B9-81AF19E9C414}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{2A1D936D-5A70-4294-B2B9-81AF19E9C414}\.ba\wixstdba.dll
    Filesize

    42KB

    MD5

    a5b9d73bae8aad5b798f9b661d681d16

    SHA1

    2e749ac98ea563bbf8bd960edc7d439a041b797b

    SHA256

    611ebae41ef23efefaea2639bac5be90dd7aabac84ed9d6dbc4351d980c732e4

    SHA512

    a6b5e64eefec3f43bdd68c6bd25a3d22e75f869ed0498614ee50c7746ce8df8f890be0fc6c1de62ca7784a6458bbf0a0f8c54cc2f6fbd511592a6de6f6731e07

    Download Submit

  • memory/64-51-0x00000000744B0000-0x0000000074C60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/64-39-0x00000000744B0000-0x0000000074C60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/688-56-0x000000006E800000-0x000000006E810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1324-116-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-114-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-111-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-113-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-107-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-106-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-105-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-112-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-115-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-117-0x000001BCECB50000-0x000001BCECB51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1596-14-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1596-12-0x0000027E68A90000-0x0000027E68AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-11-0x0000027E68A90000-0x0000027E68AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-10-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1596-5-0x0000027E6AC10000-0x0000027E6AC32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1796-20-0x0000000006230000-0x0000000006858000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1796-55-0x00000000744B0000-0x0000000074C60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1796-37-0x0000000008680000-0x0000000008CFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1796-38-0x0000000007350000-0x000000000736A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1796-36-0x0000000006E10000-0x0000000006E5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1796-35-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1796-33-0x00000000068D0000-0x0000000006C24000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1796-22-0x00000000061C0000-0x0000000006226000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1796-23-0x0000000006860000-0x00000000068C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1796-21-0x0000000006020000-0x0000000006042000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1796-18-0x0000000005920000-0x0000000005956000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1796-19-0x00000000744B0000-0x0000000074C60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4676-17-0x000000006E800000-0x000000006E810000-memory.dmp

    Filesize

    64KB

    Download