Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

SDFSDF.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1182s
  • max time network
    1180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SDFSDF.exe

  • Size

    843KB

  • MD5

    0871dd1f1093919339d3a65c1bde4471

  • SHA1

    f6842e06cc4801dad8db4bf29614b1fdb772cd7b

  • SHA256

    054bc2d1b20d3c3d6a579abd3ec64f4af7ab867a2e67cf3b3109b97e283525a5

  • SHA512

    5ad913164f94333f10df0e49f94ee792092ea8a8bed949722a595090f716e46455a366ec0ff7cfe156c4928d86e5d564293702092c70a1dd17e0218560a2ff66

  • SSDEEP

    24576:1PS04YNEMuExDiU6E5R9s8xY/2l/dTZIbt+rg:1l4auS+UjfU2TTZIbt+r

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SDFSDF.exe
    "C:\Users\Admin\AppData\Local\Temp\SDFSDF.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{f58b4faf-52e0-4929-b75f-1f5250ad87f8}.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3292
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo j "
          4⤵
            PID:3404
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe""
            4⤵
              PID:3196
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo j "
              4⤵
                PID:1424
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{f58b4faf-52e0-4929-b75f-1f5250ad87f8}.bat"
                4⤵
                  PID:4304
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x2f8 0x4a0
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
            1⤵
              PID:2692
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k UnistackSvcGroup
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4708

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\opus.dll
              Filesize

              332KB

              MD5

              1fc04b8bb4896745163df806695ee193

              SHA1

              39174ce2fca9a3e86bb7a5686037bc42f2572de1

              SHA256

              3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14

              SHA512

              3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\{f58b4faf-52e0-4929-b75f-1f5250ad87f8}.bat
              Filesize

              202B

              MD5

              69310bb8bc6eddcdb2803a45cd2298dc

              SHA1

              7c196248bf7a2074eb4420327a174a062f3457b6

              SHA256

              4468a07b997157c3e2014e4d2b925446aa16ce49072e4de5279441fa441ad1d2

              SHA512

              3d13fbdad0b8ac33af8c43cfd5ec7f60bf18a6c5ecd8d3f6851da10fcef762f64bffb8e6f4e1fba08bf76ff6701734e78c6c53b3d53b27aaa3ae124b7bdba7b6

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
              Filesize

              843KB

              MD5

              0871dd1f1093919339d3a65c1bde4471

              SHA1

              f6842e06cc4801dad8db4bf29614b1fdb772cd7b

              SHA256

              054bc2d1b20d3c3d6a579abd3ec64f4af7ab867a2e67cf3b3109b97e283525a5

              SHA512

              5ad913164f94333f10df0e49f94ee792092ea8a8bed949722a595090f716e46455a366ec0ff7cfe156c4928d86e5d564293702092c70a1dd17e0218560a2ff66

              Download Submit

            • memory/1284-26-0x0000000001910000-0x0000000001920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1284-32-0x0000000001910000-0x0000000001920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1284-19-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1284-20-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1284-23-0x0000000001910000-0x0000000001920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1284-24-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1284-25-0x0000000001910000-0x0000000001920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1284-84-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1284-31-0x0000000001910000-0x0000000001920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4372-18-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4372-2-0x0000000000F00000-0x0000000000F10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4372-0-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4372-1-0x0000000074E70000-0x0000000075421000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4708-49-0x00000289C7680000-0x00000289C7690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4708-67-0x00000289CFA20000-0x00000289CFA21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4708-65-0x00000289CF9F0000-0x00000289CF9F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4708-68-0x00000289CFA20000-0x00000289CFA21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4708-69-0x00000289CFB30000-0x00000289CFB31000-memory.dmp

              Filesize

              4KB

              Download