Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

file_x64x86.rar

windows10-1703-x64

file_x64x86.rar

windows10-2004-x64

8

file_x64x86.rar

windows11-21h2-x64

4

Analysis

  • max time kernel
    1798s
  • max time network
    1803s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2024, 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file_x64x86.rar

  • Size

    10.5MB

  • MD5

    c0e2e876025cff704f44762e4eef46df

  • SHA1

    53cfde674e868429276dca6c9c4e783ff98b9a8f

  • SHA256

    ce143c9fbf5934660cd61c63796aa00759b07ea5d65b66cd2c05e85239781ad8

  • SHA512

    3c1a3ff3c74b16e1e2c3199f27770ec11fb92d7c2718ee2b0cccbb2c03e8017f3b41ca1d3c08ce03c0e5b594a361de920f7ab08d5722e07e8555c2908c76a694

  • SSDEEP

    196608:XSbIWDiYJg1Z3mG//s6tgqRHqCo7eE8Aj5hjeeEit7w8AmxaPcaY9fTE:WTiYe1Z3ms06tg8H5OC8Gp/Y54

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\file_x64x86.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_x64x86.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:784
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:2036
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4776
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb546adedhb764h440ehba3ch78f9c4195e3b
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffab58f46f8,0x7ffab58f4708,0x7ffab58f4718
        2⤵
          PID:4408
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15011439520445158506,13010205112436186064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
          2⤵
            PID:3772
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15011439520445158506,13010205112436186064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:812
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15011439520445158506,13010205112436186064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
            2⤵
              PID:2444
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:3996
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4172
              • C:\Windows\system32\wuauclt.exe
                "C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 04491d5e-8b4c-483a-bf49-15a60d6b8408 /RunHandlerComServer
                1⤵
                  PID:60

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  e1b45169ebca0dceadb0f45697799d62

                  SHA1

                  803604277318898e6f5c6fb92270ca83b5609cd5

                  SHA256

                  4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

                  SHA512

                  357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                  Filesize

                  5KB

                  MD5

                  df7d529cb35e69ef10c66f706077741a

                  SHA1

                  1237bd1fd1091d719b6e4782d23998895d9ab84d

                  SHA256

                  378c27757ac310a92ee1ce6f59b514b8a9eb034842e5f2e30189b7d8978c82cf

                  SHA512

                  5dc43cd2105fbe5412a8cdc6ccc4a4e070e9f692227c293a36b15469f11b0336f5bf78dd3d6775d87235a02f3b897e807b5e7f32e8c008adc42703397996b8ca

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                  Filesize

                  8KB

                  MD5

                  a0920f6d36db867a4085a0881dfb92db

                  SHA1

                  952b70a005064965a10736ed919697f1663f9692

                  SHA256

                  8919613c71f2624ae257a7e2bea84739e864aeeb0824dfa059caf9761e2b64c3

                  SHA512

                  7802426ae11725ad8422b8366837c553c7c9f342d03450dc6fbb136646001c8911f98cfe25bb76fb8ab2ddacbeb7d5f93e9a11daa640e4a1d0f4c3c124bca2f2

                  Download Submit

                • memory/4776-0-0x0000026868690000-0x00000268686A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4776-16-0x0000026868790000-0x00000268687A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4776-32-0x0000026870B00000-0x0000026870B01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4776-34-0x0000026870B30000-0x0000026870B31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4776-35-0x0000026870B30000-0x0000026870B31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4776-36-0x0000026870C40000-0x0000026870C41000-memory.dmp

                  Filesize

                  4KB

                  Download