Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

modest-menu.exe

windows7-x64

9

modest-menu.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    modest-menu.exe

  • Size

    16.9MB

  • MD5

    ce03d8db32b901caba01fa8b1beefe54

  • SHA1

    76377cea7317bd28af0ccaab276bd49360936a9d

  • SHA256

    a568e2a4d89ab76ab9ff11b30bf320dcc4413353660678c51abc79863ff3c1c4

  • SHA512

    40ef98ee1dd411d3f634f9fe1ccdac0bc8fa5d13b1392ac5d045bf130db6efc5ebae48298d02a732fe634af953af10c004d54c3a4d5862b7f9cd6736f6ddbfca

  • SSDEEP

    393216:YwOMvc42XGU57JO0OTOUbHvnqdLNZHgbATTT9:Yeh2Xb1Ra4LNibATv

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
    "C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2836
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2896
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x210
    1⤵
      PID:2744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\6xl5zm6smz6zs.exe
      Filesize

      591KB

      MD5

      72055dedf9d9a69e5ffc96a7e3c1e6f3

      SHA1

      b872ced57c472b323cb29b44ea23d0387cd3904b

      SHA256

      e1b8bc26a84a70ce525ab15ee44ac7a1ad09077f9de4348145305bafb4a1f446

      SHA512

      bbf5b40ab5928fea18724e213aab6a61bb85331b12ec5c0d7eee27d6c38cbdbd983b03d5f0a52a58a9b0dc3eabea7826b7a21bffe0fda5819e29cfaccde253a3

      Download Submit

    • C:\Windows\System32\CIRCoInst.dll
      Filesize

      9KB

      MD5

      fc1b8162b5300f77b4f341b0ad21d8ce

      SHA1

      36d4af6793fb43ab9c4799e10dc9a78f61293748

      SHA256

      905a317a20030688d52e4910db64e056017471cf647b6bee9bf6a6f976c51a13

      SHA512

      3e2ee44e1d13e1e66480793ddf5ac95d71b9490f37e9b07cfa69e21005ac1f5b37a2d3636d07166172840001722b8ebfa1a4c1029c76daad1353348210545bfc

      Download Submit

    • C:\Windows\System32\aspnet_counters.dll
      Filesize

      30KB

      MD5

      48a83b2c83fb48b31be28bc82b1b0cf5

      SHA1

      f2655a88fce154104e5e81eb001c43be787f34af

      SHA256

      c0a1f3e5ad061115e0ac349b1c6820744da3a0019d7e69cde7829d8c5d03a604

      SHA512

      613ba853aa30729c9014ee5ddb50a38cff188de0b17008f4870dd9202c61e09ec5c874deda7f016ba6eb6dd024b8b61d1dfb44b2ed8af714c5a667fde2cb618e

      Download Submit

    • C:\Windows\System32\atl100.dll
      Filesize

      154KB

      MD5

      53a3de22a97a40469fc6aeb54a151a61

      SHA1

      07c34cf6897053f9520b7c7c6899534559dd964a

      SHA256

      ece86e8a88de3a06ebda73d8945dda04df9a94a0c8f949c9c3e1c3d2355ca526

      SHA512

      390d90af3708d63346ff2bf33730a5740917df0f4c4973a7389b49001219568564a7b1e4616716f28bbd503ab6320c70c5b885c6c534b852a5a0945a320fd7be

      Download Submit

    • C:\Windows\System32\atl110.dll
      Filesize

      188KB

      MD5

      fe00086a2fc935af640c7f302c12fe89

      SHA1

      919d9e63a3ed879d04bb31dc9d43a1195e24878e

      SHA256

      873d57e5cd660d49b403780685e91b6e3bc9e65b6e59435e0c5a5dfa1de0422c

      SHA512

      b9b0642b824846090a47c31e2730a568aff79b65808439277ff1ab0c0f257236f276efb1aae71ead5f6ddc8362463a9ae6843f00266e5e82ec2720792446a786

      Download Submit

    • C:\Windows\System32\brcoinst.dll
      Filesize

      19KB

      MD5

      f02f93d5aec524052e4a37c1bb7ccf31

      SHA1

      90ac9d8a7708582ce517124355b3cd04e4af3bbb

      SHA256

      62aa0c49e6cd9b499e87c09fba55d5146e58ed68df4a5428855f50568bca3528

      SHA512

      d132d0f5c01d1a80fc03a692d970bdd4710194d7fb7e1d20693560cf7049c3da29c6a584f5fd13bfa921b08d3a2c94a1aa6cbd408866ce631570228c3cd53fd5

      Download Submit

    • C:\Windows\System32\concrt140.dll
      Filesize

      308KB

      MD5

      0b42ac3aff1633b0d7edb9fdf5e4ecd6

      SHA1

      2ca2129c8bbcbabc4e21368a6f9acf59a64d33fe

      SHA256

      5b757f98a5f3e4ab8b944067c12bec9d67a80aa31c7de702b15dbd199dd602ed

      SHA512

      afc8942f002ec2958eafebbbeb4b30c47c3e286c387322c4be8839b56f9a1621d556d8cb93caee6ece8bcbd1b99c96972a562b758080c183c27762b5a2acbee7

      Download Submit

    • memory/2836-8-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-9-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-10-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-11-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-0-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-13-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-14-0x0000000077940000-0x0000000077AE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2836-7-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-6-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-5-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2836-1-0x0000000077940000-0x0000000077AE9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2896-12-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2896-18-0x0000000002000000-0x0000000002001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2896-17-0x0000000002020000-0x0000000002030000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2896-16-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2896-15-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download

    • memory/2896-4-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2896-3-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2896-2-0x000000013F260000-0x0000000141C6F000-memory.dmp

      Filesize

      42.1MB

      Download