Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 14:42

General

  • Target

    SpaceAdvntre.exe

  • Size

    154.6MB

  • MD5

    acf576f53d1d1376681fd4a35dce19b9

  • SHA1

    8138a9f90af9f95d0ed3f86f993a674a300c554a

  • SHA256

    1a61d9d12765ec87e611cec885a586ec9dcec7e28b300a8f84e27ecb55463f4d

  • SHA512

    f554e938211d44d167620d65ac80db6cc7aece05061b65fd25a7ecd8506d878e2e0535bc9840ce093c87b047ddd6e76c451cd6ef26ab700a5def833434c2eedd

  • SSDEEP

    1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe
    "C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3716
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4900
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2016
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,164,175,76,161,134,224,137,176,56,163,3,175,40,19,32,92,145,225,199,82,244,131,244,253,2,58,67,90,144,223,136,175,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,185,24,135,231,40,134,93,219,124,208,7,211,31,203,122,84,212,86,123,229,53,132,132,226,132,135,143,113,36,166,131,6,48,0,0,0,218,174,184,184,184,254,161,155,81,219,224,215,64,205,239,188,172,213,179,207,160,102,124,235,187,43,255,100,21,146,78,171,123,42,231,82,170,252,58,17,236,179,242,209,97,41,251,171,64,0,0,0,240,165,245,19,196,166,84,106,144,224,100,251,48,217,208,215,213,56,76,155,191,160,179,134,32,59,37,208,129,208,206,196,64,33,51,255,143,102,100,50,249,175,38,170,33,222,80,138,252,254,76,53,252,172,146,27,67,238,223,130,255,132,50,147), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,164,175,76,161,134,224,137,176,56,163,3,175,40,19,32,92,145,225,199,82,244,131,244,253,2,58,67,90,144,223,136,175,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,185,24,135,231,40,134,93,219,124,208,7,211,31,203,122,84,212,86,123,229,53,132,132,226,132,135,143,113,36,166,131,6,48,0,0,0,218,174,184,184,184,254,161,155,81,219,224,215,64,205,239,188,172,213,179,207,160,102,124,235,187,43,255,100,21,146,78,171,123,42,231,82,170,252,58,17,236,179,242,209,97,41,251,171,64,0,0,0,240,165,245,19,196,166,84,106,144,224,100,251,48,217,208,215,213,56,76,155,191,160,179,134,32,59,37,208,129,208,206,196,64,33,51,255,143,102,100,50,249,175,38,170,33,222,80,138,252,254,76,53,252,172,146,27,67,238,223,130,255,132,50,147), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1020
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,248,235,49,138,142,189,104,1,109,218,244,53,122,212,178,249,229,108,209,244,72,234,123,126,207,63,141,70,231,119,6,241,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,45,229,139,113,15,60,156,64,75,210,221,149,107,176,204,206,223,140,215,102,98,0,202,73,167,165,95,81,244,204,30,48,0,0,0,159,65,239,47,193,103,240,79,154,80,226,158,99,10,187,54,27,43,149,239,44,43,50,241,85,118,100,160,55,35,4,5,71,7,147,24,9,204,151,49,123,143,123,174,107,90,184,232,64,0,0,0,194,24,38,210,116,69,79,130,181,232,35,188,221,21,190,87,247,64,69,131,46,79,254,65,31,21,214,249,103,245,141,3,45,226,66,120,199,31,146,206,10,217,198,190,184,32,146,37,147,76,162,180,81,77,233,1,253,121,27,101,176,107,25,65), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,248,235,49,138,142,189,104,1,109,218,244,53,122,212,178,249,229,108,209,244,72,234,123,126,207,63,141,70,231,119,6,241,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,45,229,139,113,15,60,156,64,75,210,221,149,107,176,204,206,223,140,215,102,98,0,202,73,167,165,95,81,244,204,30,48,0,0,0,159,65,239,47,193,103,240,79,154,80,226,158,99,10,187,54,27,43,149,239,44,43,50,241,85,118,100,160,55,35,4,5,71,7,147,24,9,204,151,49,123,143,123,174,107,90,184,232,64,0,0,0,194,24,38,210,116,69,79,130,181,232,35,188,221,21,190,87,247,64,69,131,46,79,254,65,31,21,214,249,103,245,141,3,45,226,66,120,199,31,146,206,10,217,198,190,184,32,146,37,147,76,162,180,81,77,233,1,253,121,27,101,176,107,25,65), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:684
    • C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe
      "C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SpaceAdvntre" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 --field-trial-handle=2020,i,11541216000348560715,17284866817236837902,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:1300
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get name
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3964
      • C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe
        "C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SpaceAdvntre" --mojo-platform-channel-handle=1196 --field-trial-handle=2020,i,11541216000348560715,17284866817236837902,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1832
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get ProcessorId
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic baseboard get Product
          3⤵
            PID:2904
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"
          2⤵
            PID:1616
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic baseboard get SerialNumber
              3⤵
                PID:4720
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
              2⤵
                PID:1584
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic OS get caption
                  3⤵
                    PID:4128
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"
                  2⤵
                    PID:208
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic computersystem get TotalPhysicalMemory
                      3⤵
                        PID:3928
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"
                      2⤵
                        PID:1264
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic path win32_videocontroller get caption,PNPDeviceID
                          3⤵
                            PID:1628
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"
                          2⤵
                            PID:224
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic diskdrive get SerialNumber
                              3⤵
                                PID:4900
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                              2⤵
                                PID:4612
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_computersystemproduct get uuid
                                  3⤵
                                    PID:1388
                                • C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe
                                  "C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SpaceAdvntre" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 --field-trial-handle=2020,i,11541216000348560715,17284866817236837902,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3708

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                Filesize

                                2KB

                                MD5

                                6cf293cb4d80be23433eecf74ddb5503

                                SHA1

                                24fe4752df102c2ef492954d6b046cb5512ad408

                                SHA256

                                b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                SHA512

                                0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                64B

                                MD5

                                d8b9a260789a22d72263ef3bb119108c

                                SHA1

                                376a9bd48726f422679f2cd65003442c0b6f6dd5

                                SHA256

                                d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

                                SHA512

                                550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                1KB

                                MD5

                                8e26941f21dac5843c6d170e536afccb

                                SHA1

                                26b9ebd7bf3ed13bc51874ba06151850a0dac7db

                                SHA256

                                316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

                                SHA512

                                9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

                              • C:\Users\Admin\AppData\Local\Temp\264451ee-1701-49cf-a22b-adcca40da008.tmp.node

                                Filesize

                                1.4MB

                                MD5

                                56192831a7f808874207ba593f464415

                                SHA1

                                e0c18c72a62692d856da1f8988b0bc9c8088d2aa

                                SHA256

                                6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

                                SHA512

                                c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xt24cxuv.s41.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • memory/684-53-0x000002346D1D0000-0x000002346D1E0000-memory.dmp

                                Filesize

                                64KB

                              • memory/684-52-0x00007FFC87980000-0x00007FFC88441000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/684-55-0x000002346D1D0000-0x000002346D1E0000-memory.dmp

                                Filesize

                                64KB

                              • memory/684-58-0x00007FFC87980000-0x00007FFC88441000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1020-41-0x00007FFC87980000-0x00007FFC88441000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1020-30-0x00007FFC87980000-0x00007FFC88441000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/1020-35-0x000001D6EBCA0000-0x000001D6EBCB0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1020-37-0x000001D6EBCA0000-0x000001D6EBCB0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1020-38-0x000001D6EE300000-0x000001D6EE350000-memory.dmp

                                Filesize

                                320KB

                              • memory/3708-99-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-104-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-110-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-108-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-109-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-106-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-98-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-107-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-100-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3708-105-0x000001C5C4A70000-0x000001C5C4A71000-memory.dmp

                                Filesize

                                4KB

                              • memory/3716-16-0x000002CEDEAB0000-0x000002CEDEAC0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3716-10-0x000002CEDEA60000-0x000002CEDEA82000-memory.dmp

                                Filesize

                                136KB

                              • memory/3716-15-0x00007FFC87980000-0x00007FFC88441000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3716-22-0x00007FFC87980000-0x00007FFC88441000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/3716-17-0x000002CEDEAB0000-0x000002CEDEAC0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3716-18-0x000002CEDEAB0000-0x000002CEDEAC0000-memory.dmp

                                Filesize

                                64KB