Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2024, 04:36

General

  • Target

    9ac49679720474f3fa68f27b9010f224.exe

  • Size

    147KB

  • MD5

    9ac49679720474f3fa68f27b9010f224

  • SHA1

    8e179bd3986a11157270a009e2fc677422b451c0

  • SHA256

    e88ebfe8ac396c0497f4721035a223db4d50132e2f2d2e83ca5893c35d095341

  • SHA512

    81a6a8c990679669fcd363a6f2c368a4c0c92596fd17dd7e4a6c568fa54e9a7f52f1c3627e78513ef93a33a2c57714f56cf125ac90da88072b816ea48296ade7

  • SSDEEP

    3072:GPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkOIEY:GPhaCEHpMGljt/RYkB

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ac49679720474f3fa68f27b9010f224.exe
    "C:\Users\Admin\AppData\Local\Temp\9ac49679720474f3fa68f27b9010f224.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8552.bat
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\SysWOW64\regedit.exe
        C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\323.reg
        3⤵
        • Sets service image path in registry
        • Runs .reg file with regedit
        PID:4620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
          PID:3812
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run" /v "Windows Genuine Advantage" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wgatray.exe"
          3⤵
          • Adds policy Run key to start application
          PID:1448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo y"
          3⤵
            PID:4956
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
            3⤵
              PID:3140
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" "http://ver.lovezinho.com"
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2984
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:17410 /prefetch:2
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3996
            • C:\Windows\SysWOW64\PING.EXE
              C:\Windows\system32\ping.exe www.google.com -n 1 -l 1
              3⤵
              • Runs ping.exe
              PID:1432
            • C:\Windows\SysWOW64\find.exe
              find "TTL"
              3⤵
                PID:4980
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector" /v IE
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Windows\SysWOW64\reg.exe
                  reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector" /v IE
                  4⤵
                    PID:5040

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

              Filesize

              471B

              MD5

              34a715b7eff98727a79196c12548166d

              SHA1

              d5e289b29da4499777553a8a18000554d3664059

              SHA256

              6b41a389423de69980de3d667fca2f72e5ce6224dcea62d765862d07e76f9f01

              SHA512

              62de58bac2f19abcfd8503f2b0abf64872a6354c140e020975d40fda1c975ed3ccc9f05a58ab45663c3eee52dbb5d6974aca6df78f7e60e780f5320622516860

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

              Filesize

              404B

              MD5

              914f611634fc87d242e62fd2413712ff

              SHA1

              df436c229385f39960be48939a0314b956504e31

              SHA256

              57dfb0dd39bacb4760e3250763708416e3a078d8cc6f20c0dc35e599d7f29779

              SHA512

              8d2813ca9f634451d25a4b19085a535b6f15200a7cfb5eb7fa1d17f670fc9b03e66966ffd5232a045abcd832c09bb1052e9170b473ebff75acf72f9d0cac6e6d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GUTCV3OF\suggestions[1].en-US

              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            • C:\Users\Admin\AppData\Local\Temp\323.reg

              Filesize

              1KB

              MD5

              10bc201c5d51010650443adc933e4166

              SHA1

              71676b93cf04961657e50fc1fe4bc20ee5ea6079

              SHA256

              9c67e59028ac82abc17381b92c143b3c4b4395c5b8ce80b4a9081139f5931af0

              SHA512

              b3f8b307805922f19aca687b3355c06cdb029615cb89ad6b1a6144dd0c364f2cc418ed95a94fdd741d51b4cc1bb4b75971756fffe2f87d26ae5e5e1d87dd8b9d

            • C:\Users\Admin\AppData\Local\Temp\bt8552.bat

              Filesize

              6KB

              MD5

              8147cbd0ddf1c7b8df78b7bcddd1c856

              SHA1

              91eb0f3b4e99e11d07271c34e5dbfccd0801c4a4

              SHA256

              9c691aad1fff084cf2b9b2fd2cb21cba238364f2f1352cbf141e5f53ccca1ce8

              SHA512

              827e1f75308f8a231cbad9481a527585125bc3f64760a56ed2648eef2c7fcd230c09472265f2aeffa3a0012aec29354c38d7d5e67bc4c5dbda1c5694c2987094

            • memory/4240-40-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB