Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

a/myDriver.sys

windows10-2004-x64

5

Analysis

  • max time kernel
    1210s
  • max time network
    1263s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a/myDriver.sys

  • Size

    16KB

  • MD5

    ea98412a984f3a28b077fe7db73e2629

  • SHA1

    98eaa091e6b737c75bac6accc6be15013beccf91

  • SHA256

    5aa6e67c99b20f02dfcad282a4bae7862e463568e02dd13a37ec43da61588527

  • SHA512

    dfd8dbc96c5006065c4febc0b22487729d3943091a5a84bd00d319d26d3cc0296e67e547ebb9dd529773aba8b317eabb3650623e68db0ed933d10c11daffe2e5

  • SSDEEP

    192:Hf2LrtQsx5GvVA1nI9YfG4eVorAm3/a2YcHmI7exNk7A9UOad8g8UEmFy0NCpnPO:/mbGtAKYfG4uorAm3f5GI7+nazCmT

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\a\myDriver.sys
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\a\myDriver.sys
        C:\Users\Admin\AppData\Local\Temp\a\myDriver.sys
        2⤵
          PID:3000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Users\Admin\AppData\Local\Temp\a\MoneyGrabber.exe
          "C:\Users\Admin\AppData\Local\Temp\a\MoneyGrabber.exe"
          2⤵
            PID:4416
          • C:\Windows\system32\pnputil.exe
            "C:\Windows\system32\pnputil.exe" /add-driver .\myDriver.inf /install
            2⤵
            • Drops file in Windows directory
            PID:3164
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" start myDriver
            2⤵
            • Launches sc.exe
            PID:3472
          • C:\Windows\system32\pnputil.exe
            "C:\Windows\system32\pnputil.exe" /add-driver .\myDriver.inf /install
            2⤵
            • Drops file in Windows directory
            PID:1756
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:1280
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
            1⤵
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Windows\system32\DrvInst.exe
              DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{456ec49f-ea70-fa47-879d-b39400b8b671}\myDriver.inf" "9" "41b46ff43" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "C:\Users\Admin\AppData\Local\Temp\a"
              2⤵
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              PID:4544
            • C:\Windows\system32\DrvInst.exe
              DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e7f5848b-e6a2-b949-8dbb-a4c03b8171f6}\myDriver.inf" "9" "41b46ff43" "0000000000000188" "WinSta0\Default" "000000000000018C" "208" "C:\Users\Admin\AppData\Local\Temp\a"
              2⤵
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              PID:2508

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dw1pibd.jmi.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{456EC~1\myDriver.cat
            Filesize

            2KB

            MD5

            27e74d02728dbf0dc63efe7292833126

            SHA1

            d74fb90f0dc704eae3d6ce0459d0a551d077e9ed

            SHA256

            685e91c151845093f316362c093547bbecde3ab0f27d412f644eeab9e7bc68f4

            SHA512

            e5d181e9c2407a58231d88449da8c97e264a8a2b1a10bd412b59e97caccf5a0b04a1553eabb2b3c85c73b7647dd8405b584e0db8c979ff187d30a1f88a73d390

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{456ec49f-ea70-fa47-879d-b39400b8b671}\myDriver.inf
            Filesize

            1KB

            MD5

            8dd881d5d8a835544386c2f02bcc5096

            SHA1

            bfae64d5691e09d3f2c6083b1d881c2a7a6934bf

            SHA256

            b276dcf68623c18c6dd9e5f1f00ef35728f42e63205af30e5d1840b6094ee378

            SHA512

            b0412f3ebe1d13917c1449c2da1ac500baa8f081bec86e460305a6157edb5aebdbe13ca50ca85ca846c74b380775e75c68d304e16fb7c297d1e90ed850b63dcf

            Download Submit

          • C:\Windows\System32\DriverStore\Temp\{b526e71b-9439-7040-88af-c099adb699dd}\SET92B.tmp
            Filesize

            16KB

            MD5

            ea98412a984f3a28b077fe7db73e2629

            SHA1

            98eaa091e6b737c75bac6accc6be15013beccf91

            SHA256

            5aa6e67c99b20f02dfcad282a4bae7862e463568e02dd13a37ec43da61588527

            SHA512

            dfd8dbc96c5006065c4febc0b22487729d3943091a5a84bd00d319d26d3cc0296e67e547ebb9dd529773aba8b317eabb3650623e68db0ed933d10c11daffe2e5

            Download Submit

          • memory/4800-14-0x0000026C43640000-0x0000026C43650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4800-15-0x0000026C435C0000-0x0000026C43604000-memory.dmp

            Filesize

            272KB

            Download

          • memory/4800-16-0x0000026C44790000-0x0000026C44806000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4800-19-0x00007FFF47B50000-0x00007FFF48611000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4800-20-0x0000026C43640000-0x0000026C43650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4800-21-0x0000026C43640000-0x0000026C43650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4800-23-0x0000026C43610000-0x0000026C4362E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4800-3-0x0000026C43540000-0x0000026C43562000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4800-13-0x0000026C43640000-0x0000026C43650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4800-12-0x00007FFF47B50000-0x00007FFF48611000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4800-66-0x0000026C43640000-0x0000026C43650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4800-67-0x0000026C43640000-0x0000026C43650000-memory.dmp

            Filesize

            64KB

            Download