Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 19:58

General

  • Target

    253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe

  • Size

    4.2MB

  • MD5

    873c6264052761245df6b117738ac825

  • SHA1

    855b7550370d5e7ae1e530d1b99cd1103fc0b626

  • SHA256

    253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5

  • SHA512

    9a8de1df29aa30f86f1b7bd6026b861749828c36c44023ee2ae8d3e5d53ca4561a7d45df34e39caf2deb729698f90bd80f29abc814f33aedb13a4fae7491f698

  • SSDEEP

    6144:8cFvrd1rWkNYiclkBw1x42dy8r1YA+ycK23+86JQPDHDdx/QtqV:d1dCicWy1xFc8r1N+ZKlPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 29 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe
    "C:\Users\Admin\AppData\Local\Temp\253935677b9f338c6a8408e1d356b204036b8af3a57b3a8942079137b9660bf5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\adnru.exe
      "C:\Users\Admin\AppData\Local\Temp\adnru.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:4460
    • C:\Users\Admin\AppData\Local\Temp\adnru.exe
      "C:\Users\Admin\AppData\Local\Temp\adnru.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:412
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      5835f83e9227994668fa7e5e514b3906

      SHA1

      5a86e57259ce9978d1fe1e6dea0a1bb8884c16d8

      SHA256

      11b3948cfcd3fc7904e0570bf1f91e33fdcc58ce3ae7026654f6f965fefb72e4

      SHA512

      1cd1265d8e557b9c40fe9305bf78fc84bc85bd7457ebd26dcf72aabdb15eea2a569ae8e902200d291127d50279ece4dd5939761a880bda03673d941028d9a2ee

    • C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      521d978fde91b82eb74a9ac7564e5c09

      SHA1

      a9a607d32d87812414fb2c6f049b51dc0b4d64cf

      SHA256

      d662d322e9dc96d25c528f3f88154023b14acf2e6f91b3a7dcd312dd3957c2dd

      SHA512

      574f89b9b13f90e2335026a4044f4398a9fa7d360190e3d5405d20275e9dfff1d8cf1423c11964203de0155ba2d07e75ac58f95af3855d7821adb4ba2639ed54

    • C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      6314b13ab47d4baf857d48f0bb1d2319

      SHA1

      ce760b3d74780856ca46313330d6249487ac2ba3

      SHA256

      4a657f267848b6411eb401c33561d763c3a3eca60f2b355ca92d8b1ea07e093c

      SHA512

      af29c8811a7194180d902e6c084334a9d4068c8595ea5b22e5d6a0e7fc1c5d2cefee8d3620ba1221db9329fc8d79ff95d1e732852d1e2cdc89017447a02abb5f

    • C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      68648de106ae19ab9366baa567d56c15

      SHA1

      c29b1d9912a4d16f5d509fa5d382aac8ace81e73

      SHA256

      6b76e97933051b2de85ba9bdeaeda0502c1d3773e929f30434b82ef90c4e065b

      SHA512

      086b31c3a5a31e0149cd8fce24c7d564fbb99785c3448f5670fec49c1c6febfaa0b3acf720b047e4a5c7eef6ba731517128856073fc48b1f5bd39529da8e1854

    • C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      ec4394292b383ed3c1625eb8cdaa5b5b

      SHA1

      36a504832abc54521a282edfc4ae589f610d95f0

      SHA256

      808fe8e264bc60152d8a45e94ba4ecdbbd5d1dbca569fb6b3e94ae626d169a1b

      SHA512

      5c036ddaab5f70de18c438835f01445729f5c58d7d51e455c73be30e6e78bd05406e733beb40b17accef70cd7f0260a3da5810ddfe72a0a48419f83b36fe0f56

    • C:\Program Files (x86)\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      6fb2ed374a251b4c5838926b5357b88b

      SHA1

      9204ac12a5cbd6e917b12b9d57b4e4bc7c59e709

      SHA256

      c637a5cb96958a0f92264e8278bdb0f41ab35911255e488b216d19d694c59153

      SHA512

      6ff58d7acf313d2be6395bc2ff3ca8d469234af8ca0784c0e4716b7fb68f9551296088022fc62f3d9e55ad4915f46ecde0a8a28199133a4babef7dd466b33a62

    • C:\Users\Admin\AppData\Local\Temp\adnru.exe

      Filesize

      5.6MB

      MD5

      623242ad35bdd716bb2d0477a0f59250

      SHA1

      b97e85c9f67ed7f448d8523b4e2afbd4f9ac0660

      SHA256

      69d7f52b051e34d0361e6a82bc450b51168ebfe339f475aa4ae9b3926c4ee57d

      SHA512

      3f15a2afcf8c4563b5152d28712fece07ed8bd6b52db2a8a8512c11b0fe9d8bd57993523b392058bef9ffb5e3569447a00719bd276aa89a613aaaf6452c90ced

    • C:\Users\Admin\AppData\Local\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      c6d167a5c11ac45fe04686faecd88e63

      SHA1

      fd7378836ca916482602807f3277eb4eaa7d6bb6

      SHA256

      3b6468cb35077baec22ff42b2a2f3ca208c1430a510889a1ddefa26926a8eeeb

      SHA512

      7d4887d70e889b8e6ea39ade3dd410cd0e23bbf3482ee18cf5c14a18e162c3bcee8682ce720e3b8e2218c0b29e0c48d61d0eb3a0d49a23a73d2fdfe9212f3e71

    • C:\Users\Admin\AppData\Local\rtcfhlovzxbuodksfelnwzbfip.rvo

      Filesize

      260B

      MD5

      1be32faf4d838a09705d9fa417d8ec56

      SHA1

      f5866fd82ced60b9417843671a1d7af639ee3a7a

      SHA256

      2b0c431548fcd20276c70cf9d27db68306051b79760e81fd1e050efbccd5312e

      SHA512

      c734eedad558396665ffbeebf148b4fed389e985dd85eb449645f8494a916cd4c416a0f5cd5e6442f40b105c720eb9a8671404debfed7671acddd6212a0d2af1

    • C:\Users\Admin\AppData\Local\sfznapdvktimrrjcakcpjxkznfudswbbtmkum.thu

      Filesize

      3KB

      MD5

      75cd60233103e3c4cae7efb8abc92091

      SHA1

      3f1878fb452e27a6cbf28c0dcac3b6ee5d2d711e

      SHA256

      d5040d478b14b37bb3521b209db89154bf360335c8c77c2e430999f8adce249b

      SHA512

      6e549c5e971bb46f0e7c9d33df58835ce2b6030d0859b2d1c26cd4c6bcb2959aa5dd8f4f124a9b1c170a5e74a535e7c9fbaed546b5a4cc785532058610b2df31