Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1206s -
max time network
1214s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
Multi_Menu_Injector_V2.exe
Resource
win10v2004-20240226-en
General
-
Target
Multi_Menu_Injector_V2.exe
-
Size
337KB
-
MD5
940ca5f0664cb25bd69e771fc2fc3935
-
SHA1
de610bb532a61898aff07e51eae6e81e47b88b70
-
SHA256
5843a30474524689d1972bde16bca17160632b0f20200b61ea2f78ace5d4d905
-
SHA512
afff043c973a859014d883bdac2fa56115a98cf8f4e7a5c9ffd9f966d379b6afb4a435df1675e0ed2303dca97e2569509e13f5e342723cc100b3e7ca948177e4
-
SSDEEP
6144:Toob0G8fgKSqBKpGNrvo6ilVfpf5h4KdUgr9RjczIyAD8fU6bkD+NrgJf9:hILYKbBKpG5QlVl5h1dDr96ADTD+RgJF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation Multi_Menu_Injector_V2.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSubDir.lnk Multi_Menu_Injector_V2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSubDir.lnk Multi_Menu_Injector_V2.exe -
Executes dropped EXE 20 IoCs
pid Process 1828 WindowsSubDir.exe 752 WindowsSubDir.exe 4564 WindowsSubDir.exe 1916 WindowsSubDir.exe 4080 WindowsSubDir.exe 2212 WindowsSubDir.exe 4616 WindowsSubDir.exe 4056 WindowsSubDir.exe 4608 WindowsSubDir.exe 100 WindowsSubDir.exe 3360 WindowsSubDir.exe 3356 WindowsSubDir.exe 2032 WindowsSubDir.exe 456 WindowsSubDir.exe 3608 WindowsSubDir.exe 1768 WindowsSubDir.exe 3412 WindowsSubDir.exe 952 WindowsSubDir.exe 1880 WindowsSubDir.exe 3256 WindowsSubDir.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSubDir = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSubDir.exe" Multi_Menu_Injector_V2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4792 Multi_Menu_Injector_V2.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 4792 Multi_Menu_Injector_V2.exe Token: SeDebugPrivilege 4792 Multi_Menu_Injector_V2.exe Token: SeDebugPrivilege 1828 WindowsSubDir.exe Token: SeDebugPrivilege 752 WindowsSubDir.exe Token: SeDebugPrivilege 4564 WindowsSubDir.exe Token: SeDebugPrivilege 1916 WindowsSubDir.exe Token: SeDebugPrivilege 4080 WindowsSubDir.exe Token: SeDebugPrivilege 2212 WindowsSubDir.exe Token: SeDebugPrivilege 4616 WindowsSubDir.exe Token: SeDebugPrivilege 4056 WindowsSubDir.exe Token: SeDebugPrivilege 4608 WindowsSubDir.exe Token: SeDebugPrivilege 100 WindowsSubDir.exe Token: SeDebugPrivilege 3360 WindowsSubDir.exe Token: SeDebugPrivilege 3356 WindowsSubDir.exe Token: SeDebugPrivilege 2032 WindowsSubDir.exe Token: SeDebugPrivilege 456 WindowsSubDir.exe Token: SeDebugPrivilege 3608 WindowsSubDir.exe Token: SeDebugPrivilege 1768 WindowsSubDir.exe Token: SeDebugPrivilege 3412 WindowsSubDir.exe Token: SeDebugPrivilege 952 WindowsSubDir.exe Token: SeDebugPrivilege 1880 WindowsSubDir.exe Token: SeDebugPrivilege 3256 WindowsSubDir.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4792 Multi_Menu_Injector_V2.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3192 4792 Multi_Menu_Injector_V2.exe 89 PID 4792 wrote to memory of 3192 4792 Multi_Menu_Injector_V2.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Multi_Menu_Injector_V2.exe"C:\Users\Admin\AppData\Local\Temp\Multi_Menu_Injector_V2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSubDir" /tr "C:\Users\Admin\AppData\Roaming\WindowsSubDir.exe"2⤵
- Creates scheduled task(s)
PID:3192
-
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:100
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
C:\Users\Admin\AppData\Roaming\WindowsSubDir.exeC:\Users\Admin\AppData\Roaming\WindowsSubDir.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
337KB
MD5940ca5f0664cb25bd69e771fc2fc3935
SHA1de610bb532a61898aff07e51eae6e81e47b88b70
SHA2565843a30474524689d1972bde16bca17160632b0f20200b61ea2f78ace5d4d905
SHA512afff043c973a859014d883bdac2fa56115a98cf8f4e7a5c9ffd9f966d379b6afb4a435df1675e0ed2303dca97e2569509e13f5e342723cc100b3e7ca948177e4