Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

21/02/2024, 23:22

240221-3cw62sha56 1

21/02/2024, 23:19

240221-3a76jaha43 4

21/02/2024, 23:19

240221-3axd2aha42 1

21/02/2024, 18:19

240221-wx9vbade42 8

Analysis

  • max time kernel
    119s
  • max time network
    78s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/02/2024, 23:19

General

  • Target

    Set-up.exe

  • Size

    7.3MB

  • MD5

    bc0672307ff08325dc4348c89bdc8999

  • SHA1

    45e37b595ac1b3ce6e3f6b6c12a9fa9c846addb4

  • SHA256

    24d2666c00ecd02350af0d70c8a9b71ed2bf0ce2553e61506fc1cbba0a9156b3

  • SHA512

    406c11bd4dbda325ee679f235988e8d1643d99de4dfd648d471857eee4892001011ffcc3fb9d1cda3161bce4fda70dcb2e5e3f1c5fd9e75091d49a6954864728

  • SSDEEP

    98304:Rz16s9EwkidrwQwPdz9u/ZZmDZJErFXQbZT7wIX0k5:Rz16gBrd3gu/XmDZiF0tH

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    PID:3912
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3536
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\regedit.exe
      regedit
      2⤵
      • Runs regedit.exe
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads