Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

poliigon-a...emy.py

windows10-2004-x64

8

poliigon-a...tte.py

windows10-2004-x64

3

poliigon-a...ite.py

windows10-2004-x64

3

poliigon-a...lib.py

windows10-2004-x64

3

poliigon-a...rry.py

windows10-2004-x64

3

poliigon-a...ing.py

windows10-2004-x64

3

poliigon-a...ado.py

windows10-2004-x64

3

poliigon-a...ond.py

windows10-2004-x64

3

poliigon-a...sgi.py

windows10-2004-x64

3

poliigon-a...ics.py

windows10-2004-x64

3

poliigon-a...tor.py

windows10-2004-x64

3

poliigon-a...ler.py

windows10-2004-x64

3

poliigon-a...ope.py

windows10-2004-x64

3

poliigon-a...ber.py

windows10-2004-x64

3

poliigon-a...zer.py

windows10-2004-x64

3

poliigon-a...ion.py

windows10-2004-x64

3

poliigon-a...ons.py

windows10-2004-x64

3

poliigon-a...ght.py

windows10-2004-x64

3

poliigon-a...ing.py

windows10-2004-x64

3

poliigon-a...ils.py

windows10-2004-x64

3

poliigon-a...py2.py

windows10-2004-x64

3

poliigon-a...py3.py

windows10-2004-x64

3

poliigon-a...ort.py

windows10-2004-x64

3

poliigon-a...ils.py

windows10-2004-x64

3

poliigon-a...ker.py

windows10-2004-x64

3

poliigon-a...ors.py

windows10-2004-x64

3

poliigon-a...ces.py

windows10-2004-x64

3

poliigon-a...ops.py

windows10-2004-x64

3

poliigon-a...ing.py

windows10-2004-x64

3

poliigon-a...box.py

windows10-2004-x64

3

poliigon-a.../ui.py

windows10-2004-x64

3

poliigon-a...ils.py

windows10-2004-x64

3

Analysis

  • max time kernel
    1081s
  • max time network
    875s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    poliigon-addon-blender/modules/sentry_sdk/integrations/sqlalchemy.py

  • Size

    4KB

  • MD5

    881629a12f456762bd72b97eb1d40f59

  • SHA1

    cdc8e301171f40896bcd2d933b4f031713f64e58

  • SHA256

    4719138cfe182828a87ff6beb41c9e8140bc0cbe6661cfa375b16e104abe92ca

  • SHA512

    74943df1e3341b90522e2a8b8d8fca1e9ec93a787f1aafd1e69dc476a929128ee8aa84919ab9e0dafdf7d613e8aa06b706ad8530f3c08b4683690511ed48884c

  • SSDEEP

    96:syBC+Sg4K2oH1kAT7IZJgiJxVMwvE552zwUQgMPXa:/CNoH1kA/kJgEjW55UQ9q

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\poliigon-addon-blender\modules\sentry_sdk\integrations\sqlalchemy.py
    1⤵
      PID:1452
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:796
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4580
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3860
    • C:\Windows\system32\werfault.exe
      werfault.exe /hc /shared Global\de15051ab89e438cb3072c73ccf6a56c /t 1192 /p 3560
      1⤵
        PID:4136
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4776
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4712
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3688
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3144
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3116
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2232
      • C:\Windows\system32\werfault.exe
        werfault.exe /hc /shared Global\3e770965d84341069b8461cd73d57dab /t 1920 /p 2232
        1⤵
          PID:4388
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:5056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          471B

          MD5

          a40c31078f3fd7182239be30c4323571

          SHA1

          3043f50ca078c74d5b838b9a92ad14aa6666ba4d

          SHA256

          fce3d27f11da8815145ec6d77495d0cb93db99ba1289301db7c8946e427fd64e

          SHA512

          1aa91b27c24084bc4fb340fe0427c02fae980402eff909501a037f656d651f49f56d5a83801fb5e06ea3eaa4a63056557e77b116dc857eccd048164aaec7d5aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          412B

          MD5

          c4cde3dfe87bd52daed828c58e50ecd7

          SHA1

          31db3f994e96fd23c729cc2e7336a2a4837b9cd4

          SHA256

          13394e770453aa3119c8ffe42b6c7ab79d2e7028342326a0d764b14176a77651

          SHA512

          53408aff4063a0ce7f20a4d74541c872de6747ff8406f0202a3807d5627dc94b50f1ecd93997281d4acce718443362f10cfea6246a43fc2c796d21e6ceadfa2c

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133545482830045292.txt
          Filesize

          74KB

          MD5

          80dffedad36ef4c303579f8c9be9dbd7

          SHA1

          792ca2a83d616ca82d973ece361ed9e95c95a0d8

          SHA256

          590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

          SHA512

          826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Q5ROSPP2\microsoft.windows[1].xml
          Filesize

          97B

          MD5

          bdb8a591dda2dd9c96d20d4b44a5d041

          SHA1

          9e75f7deb9825c0cda7e25f66f0221f5c74c8d72

          SHA256

          7fcf82e6510873bad2d4687d21bc368fdc7e8576a8d54fc94284e1dbedda172f

          SHA512

          79166507556413e667d3bc7d5f24f1d87aed86d7b03e04b5591343cf307468b7b0446adfdf0452edbd657e97e840fa446314be0250d2b2966bff67d1261db439

          Download Submit

        • memory/2232-122-0x0000014D3CD20000-0x0000014D3CD40000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2232-120-0x0000014D3C920000-0x0000014D3C940000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2232-118-0x0000014D3C960000-0x0000014D3C980000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-101-0x000001EAFBFF0000-0x000001EAFC010000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-99-0x000001EAFBB40000-0x000001EAFBB60000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-97-0x000001EAFBB80000-0x000001EAFBBA0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3144-81-0x000001FF9D9F0000-0x000001FF9DA10000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3144-76-0x000001FF9D620000-0x000001FF9D640000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3144-78-0x000001FF9D3E0000-0x000001FF9D400000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3688-60-0x0000012C6A600000-0x0000012C6A620000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3688-57-0x0000012C6A200000-0x0000012C6A220000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3688-55-0x0000012C6A240000-0x0000012C6A260000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3860-14-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4712-37-0x000001C08BB70000-0x000001C08BB90000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4712-34-0x000001C08B3D0000-0x000001C08B3F0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4712-22-0x000001C08B720000-0x000001C08B740000-memory.dmp

          Filesize

          128KB

          Download

        • memory/5056-133-0x0000018E3D950000-0x0000018E3D970000-memory.dmp

          Filesize

          128KB

          Download

        • memory/5056-136-0x0000018E3D910000-0x0000018E3D930000-memory.dmp

          Filesize

          128KB

          Download

        • memory/5056-139-0x0000018E3DD20000-0x0000018E3DD40000-memory.dmp

          Filesize

          128KB

          Download