Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2024, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f.appx
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f.appx
Resource
win11-20231222-en
General
-
Target
efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f.appx
-
Size
135.6MB
-
MD5
e347a58cf88cc6f686207d30d2e3db65
-
SHA1
8b24338138775079f8fdd85366fed7598a9f288d
-
SHA256
efed9df5db764689c3ba1a06084599f47278e8a7a6732fb35f5ed1b01748864f
-
SHA512
d9347486a247e40f53b27270bca7afa29b428236be514d5261a19115226dc07de776c84fa6b0d0150f6e7d5d8bdfadba0da2d9ec9c6a5ca1d2a17943ebcadc43
-
SSDEEP
3145728:YZXsiKRnMfIcYNVZiTeoVu1uX7rAUMg47zNO0SPo8Z1Z4wX1JfSbmbd3d:Y9ontcyVZiamAuLX947xOj1Z4wlQbw
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 59 4004 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2220 VC_redist.x86.exe -
Loads dropped DLL 1 IoCs
pid Process 2220 VC_redist.x86.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4080 powershell.exe 4080 powershell.exe 760 Powershell.exe 760 Powershell.exe 4004 powershell.exe 4004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 760 Powershell.exe Token: SeDebugPrivilege 4004 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2220 VC_redist.x86.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4388 wrote to memory of 1004 4388 AiStubX86.exe 90 PID 4388 wrote to memory of 1004 4388 AiStubX86.exe 90 PID 4388 wrote to memory of 1004 4388 AiStubX86.exe 90 PID 4388 wrote to memory of 760 4388 AiStubX86.exe 92 PID 4388 wrote to memory of 760 4388 AiStubX86.exe 92 PID 4388 wrote to memory of 760 4388 AiStubX86.exe 92 PID 4388 wrote to memory of 760 4388 AiStubX86.exe 92 PID 4388 wrote to memory of 760 4388 AiStubX86.exe 92 PID 760 wrote to memory of 4004 760 Powershell.exe 94 PID 760 wrote to memory of 4004 760 Powershell.exe 94 PID 760 wrote to memory of 4004 760 Powershell.exe 94 PID 760 wrote to memory of 4004 760 Powershell.exe 94 PID 760 wrote to memory of 4004 760 Powershell.exe 94 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4388 wrote to memory of 4480 4388 AiStubX86.exe 95 PID 4480 wrote to memory of 2220 4480 VC_redist.x86.exe 96 PID 4480 wrote to memory of 2220 4480 VC_redist.x86.exe 96 PID 4480 wrote to memory of 2220 4480 VC_redist.x86.exe 96
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:AppsFolder\Midjourney.Midjourney_jqzvp2n7sb70p!VCredist.x86.exe1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\AI_STUBS\AiStubX86.exe"C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\AI_STUBS\AiStubX86.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\xcopy.exe"xcopy.exe" "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VFS\AppData" "C:\Users\Admin\AppData\Local\Packages\Midjourney.Midjourney_jqzvp2n7sb70p\LocalCache\Roaming" /e /s /y /c /h /q /i /k2⤵
- Enumerates system info in registry
PID:1004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\refresh.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\refresh.ps1"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VC_redist.x86.exe"VC_redist.x86.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\Temp\{98D31A1E-44E6-4582-9F9C-848841B972F9}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{98D31A1E-44E6-4582-9F9C-848841B972F9}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Program Files\WindowsApps\Midjourney.Midjourney_4.0.3.17_x86__jqzvp2n7sb70p\VC_redist.x86.exe" -burn.filehandle.attached=556 -burn.filehandle.self=5363⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
Filesize
64B
MD5ac013f8d5f5e6b67ed75d9eef1cecc35
SHA19a5ca0b77346127828ad143e92e75122e319cf95
SHA256a9818dbb0823141b7dc294e1a2cd9967cf615dece060ee4fafc5f09a63ede63e
SHA5127492516e78ba5dabec88c7ede564a9a87335319a3bc2296c6659ba47cc28b881b92d26eee65117f764f951fba2854e19f4a4750e8d22d1a3850b473cdccce254
-
Filesize
16KB
MD577a3319f6940cca2122314778bd9a1b9
SHA1a12c153108c4b97dfa1f8d91ee6dfae12647d111
SHA2561be911c1ad808ab0c28ac84672b115aff7d7592ed720288549b9ecb443b234ff
SHA512eb78d718ce1b59f4fd8a2b5069ce3eb8dfb45cfbb437c467f05fbb689ed3cb0f8f5ddceba7b44baae159a4b50f617ac8ca881d0d78a0d048355d960e97b79298
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
634KB
MD5415e8d504ea08ee2d8515fe87b820910
SHA1e90f591c730bd39b8343ca3689b2c0ee85aaea5f
SHA256e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0
SHA512e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2