Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

VMware Wor...ch.exe

windows10-1703-x64

Resubmissions

28/02/2024, 20:03

240228-ysngmacf76 8

28/02/2024, 19:57

240228-ypkasscd8t 8

Analysis

  • max time kernel
    47s
  • max time network
    85s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/02/2024, 19:57

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe

  • Size

    594.9MB

  • MD5

    7e680bb7565e19a287163ff51d3ebf7c

  • SHA1

    3780d44b47a530f7ac07873b3b7cf3ae72511d01

  • SHA256

    93d3013f0a9155d6618915dd3e4dd68c2d180d6ea2baa77eb96965006e676a8f

  • SHA512

    fc2eab22f8573c0c385aab8673f4eb22d802b5568eceed2f3df1d23e3332c5e80ce5f3d7bcc6276448e8967b97bc90f134d75e7e2900289c9235808ee54b0eee

  • SSDEEP

    12582912:fnXZ/3yW7J9gw0021l1VPRnzTYQEELLNKKvEHQZZQCVZZm6jP3S5pWWQN5gn+WVM:Q

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe
    "C:\Users\Admin\AppData\Local\Temp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\is-657OG.tmp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-657OG.tmp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp" /SL5="$501E4,623000314,832512,C:\Users\Admin\AppData\Local\Temp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Users\Admin\AppData\Local\Temp\is-M7TV9.tmp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\is-M7TV9.tmp\setup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1288
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3af1855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W0AZVRYP\dub[1].php
    Filesize

    2B

    MD5

    444bcb3a3fcf8389296c49467f27e1d6

    SHA1

    7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

    SHA256

    2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

    SHA512

    9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-657OG.tmp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
    Filesize

    3.1MB

    MD5

    91936b89c960ba396f63854dc0d72fe9

    SHA1

    07dd963c77e275c338986363131fb64fa6caa8e8

    SHA256

    e3f317709cf3c5cdee48763b493fa59881cfdd07fd22985c07910592d2c3e57c

    SHA512

    9203515d65a7197d6296794a6a2ea045d08a1b17a5d2a297f150e89f93524e9f7e23e64ae57709622285b9c8e4105de4b8ec1679c5f4a5c442efc0464f1ed623

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-M7TV9.tmp\setup.exe
    Filesize

    67KB

    MD5

    61dff4cddd6e39d56855d3c000e69641

    SHA1

    84aea15fe6bfce328761473f65f56825d56a2266

    SHA256

    f40ad5918fe55eb3347d6a8540aba56e0f23952f73ebfee1a327944aa3ee5429

    SHA512

    1dbdecfd8c23fda953939c65359711b94eba0e045cbb6d0b653f3a2b4ac913513ca9269304069195fd0e5573689d5d6b28d67caf7a8689e94229498a5aef1425

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsm56B7.tmp\INetC.dll
    Filesize

    25KB

    MD5

    40d7eca32b2f4d29db98715dd45bfac5

    SHA1

    124df3f617f562e46095776454e1c0c7bb791cc7

    SHA256

    85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

    SHA512

    5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

    Download Submit

  • memory/1132-0-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1132-10-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1132-117-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4332-5-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4332-19-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4332-46-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4332-47-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4332-116-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download