Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
@!#SETUP_FILE_2024_PASSCODE_$.rar
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240419-en
General
-
Target
@!#SETUP_FILE_2024_PASSCODE_$.rar
-
Size
23.5MB
-
MD5
7611e93930a3ebfc3144343b30cd9dcd
-
SHA1
2fcfefd406cfbade85a6e58aa06442bd925aeb5d
-
SHA256
e8b27d9776228fec69909096f712fcbf90cd8a335394e3791ac3be7cb37b3556
-
SHA512
93240b34e717a3c93d1ca7bdb25c7bbfc3bb5969c09c6dacc1dcb6b1e92577da311e006442ce1a5d28c99625abafa666a76b33b4f80f9195669d2702dc7d3673
-
SSDEEP
393216:FK6+W0Ec0JqaRS46jX7k2E1AIvcGdqwHjW0V/exgk+oraBa8m2kPU0t8:86n0EcqS5X7OiIUNwD3eh+fBu2uU0t8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 656 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1700 OpenWith.exe 656 vlc.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe 656 vlc.exe -
Suspicious use of SetWindowsHookEx 42 IoCs
pid Process 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 1700 OpenWith.exe 656 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1700 wrote to memory of 656 1700 OpenWith.exe 90 PID 1700 wrote to memory of 656 1700 OpenWith.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\@!#SETUP_FILE_2024_PASSCODE_$.rar1⤵
- Modifies registry class
PID:1372
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\@!#SETUP_FILE_2024_PASSCODE_$.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114B
MD56e5dc14b679af007807c132f616ebacd
SHA162e4b2871344089b7cbc181ee7f41e4a75b732aa
SHA256308e8a3b910fbd37b4e92a2025641fcae0e76e4ecaeb541a25183b90036f1858
SHA5123a00772edb56b037ec10327cd07ef1b185ce0612d76cc547c764fcf87f8ffc17acb2255f04331b62a4c0ecf80b1b6a4696a817959b0eada4b8ebf06ef5dbc2e4