Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/03/2024, 06:23

240314-g5qdbacf8y 7

Analysis

  • max time kernel
    419s
  • max time network
    429s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14/03/2024, 06:23

General

  • Target

    GuitarHero3v1.0NoDVDFixedexeEng.rar

  • Size

    2.2MB

  • MD5

    49eae464a298745c83d678b21fd8a0d9

  • SHA1

    356bf3e4d8f0117b206ffa34333a06b5462aa867

  • SHA256

    5da19210c2588a20d1dd9bcaf6c376d34121c39ce0bbd44c96632c1e2b46be94

  • SHA512

    6838a2b73a9248bb2e65cc8a82045494993ff97e8f7a2beeec1fc5bcfd82f6863eae7551eaad20ee8274c2a46af2154e556b16fea09e6e774acfecdb9034c943

  • SSDEEP

    49152:eAB1Bb0a3aDdWidN4FRL1lpR2tm5eiC3kjGI:e0AaqcKNOL1luY

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\GuitarHero3v1.0NoDVDFixedexeEng.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GuitarHero3v1.0NoDVDFixedexeEng.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3412
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5052
    • C:\Windows\System32\DataExchangeHost.exe
      C:\Windows\System32\DataExchangeHost.exe -Embedding
      1⤵
        PID:236
      • C:\Windows\system32\msinfo32.exe
        "C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\no\hatred.nfo"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        PID:900
      • C:\Users\Admin\Downloads\no\gh3.exe
        "C:\Users\Admin\Downloads\no\gh3.exe"
        1⤵
        • Executes dropped EXE
        PID:3536
      • C:\Users\Admin\Downloads\no\gh3.exe
        "C:\Users\Admin\Downloads\no\gh3.exe"
        1⤵
        • Executes dropped EXE
        PID:5032
      • C:\Users\Admin\Downloads\no\gh3.exe
        "C:\Users\Admin\Downloads\no\gh3.exe"
        1⤵
        • Executes dropped EXE
        PID:1476
      • C:\Users\Admin\Downloads\no\gh3.exe
        "C:\Users\Admin\Downloads\no\gh3.exe"
        1⤵
        • Executes dropped EXE
        PID:3064
      • C:\Users\Admin\Downloads\no\gh3.exe
        "C:\Users\Admin\Downloads\no\gh3.exe"
        1⤵
        • Executes dropped EXE
        PID:1760
      • C:\Users\Admin\Downloads\no\gh3.exe
        "C:\Users\Admin\Downloads\no\gh3.exe"
        1⤵
        • Executes dropped EXE
        PID:5004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Downloads\no\gh3.exe

        Filesize

        3.5MB

        MD5

        9a10bfb5f35485de6201f5eb9ba5bae7

        SHA1

        0d41f046720881888254fa5366029c55a7ee2dd7

        SHA256

        178b3c7359143ff2a7a267447bf36262bbdf7544542bcf2f7d4419d8b8068e9e

        SHA512

        b1e57e0ad3ddd934e05a8f53c94007d2c49a01f2ef75ba8b3257ef99e500afb12a74d0a2addeb6fcb7a8deb0331f5319a21d48d72a9442b153b2bdbaabc8269a

      • C:\Users\Admin\Downloads\no\gh3.exe

        Filesize

        1.3MB

        MD5

        da14d0b7d8ba5eb8444e1d3e0179d326

        SHA1

        a67b1fbde9459ea2b141f1e5e14d827b7244ec1c

        SHA256

        ea4ad3b243c886216f3329cdf02f7eb16991b2caf7f02509efb828fd276de48f

        SHA512

        cbfba38842766e1e16cd4c963da0044671398ec64dbfb42eb69faed2b0c7272c72efe2ad33da565d810bb1252d4cb712bae004866c89a1b340561656b90119c0

      • C:\Users\Admin\Downloads\no\gh3.exe

        Filesize

        2.3MB

        MD5

        bd2233047dde1326cb8708971fa82bbe

        SHA1

        ae4b8d6fb46a044abf7d664754b43cc6e7a3023b

        SHA256

        f742353c4839ca759f20b05d848382823181b406fd3d1517e4cea6f8aa76fd3b

        SHA512

        72f35aa1fcbd0de2ce2fca2a86763bf219fca35ca11f61c17e0ace02a1c305a3aa098cfeaaf3a9f4ddf5b2275e0c95c9ca2b07609fa6a89d6e67401cc5622a13

      • C:\Users\Admin\Downloads\no\gh3.exe

        Filesize

        6.7MB

        MD5

        8b38b231bf569a739b82b17420e90184

        SHA1

        37383076d72831cd9bdbfada193424c9ed957015

        SHA256

        801f8a522651a479d63a9ff5fbde5be949ba0b7ad2ec0e5fb1d92ab1a8ef2154

        SHA512

        bd85c75a2600622cdb80be1d8a298064cf4ee399befaaae2e8da742c69a37cadcc7cc476fe358d13e4eff848fa14dd9c8cc47249e9aadb7aa0ef23143fe36941

      • C:\Users\Admin\Downloads\no\hatred.nfo

        Filesize

        7KB

        MD5

        bffbe7b2f954ec21605155ba5faa8147

        SHA1

        89a2b27c87e206ceae59f188821c4698b19ab35d

        SHA256

        871f71e3fcd8c7ee63a3bd672d22429e2d96fff6bae3b4aa40db976f11c77f46

        SHA512

        f628481f6b5d3e81330988f41310a2599d5bed754090d1e4a09ea92085c673fdeb85d71eb1d81de30073614e5cf2b4e39ac145b2cddbbf0f0cdb3033aae5f213