Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
12s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 19:57
Static task
static1
Behavioral task
behavioral1
Sample
Procmon.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Procmon64.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Procmon64a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
procmon.chm
Resource
win10v2004-20240419-en
General
-
Target
Procmon.exe
-
Size
5.0MB
-
MD5
2804ca9fc56e6c600418e1616ab2335d
-
SHA1
ae4065ebf9b038be275efbff56793d1f4e77b79c
-
SHA256
cfac057c0c811caa0ffa8581b7e7e7a2b1c6f3ce8a2ec1d05151a0a2b7dd173e
-
SHA512
23b68a92c15c670ac627937c769d2a6ce0b8a17dc02f9bbc2a42df3aebb8314968c04864928ebf87df8dd37408e5d71ccab594e0212048badd11a671c29de329
-
SSDEEP
98304:JLHG9k71Z7cxhVaSR+i5y1xn7j55y1NwHBdzYu8Y/IqRfNocBjsP70wAdlHBdzYB:JL+A1FjntHBjXeDAdlHBj
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS Procmon64.exe File created C:\Windows\system32\Drivers\PROCMON24.SYS Procmon64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" Procmon64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation Procmon.exe -
Executes dropped EXE 1 IoCs
pid Process 1260 Procmon64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\shell\open Procmon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Procmon.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.PML Procmon64.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1 Procmon64.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\shell\open\command Procmon64.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\shell Procmon64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.PML\ = "ProcMon.Logfile.1" Procmon64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File" Procmon64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Procmon.exe\" /OpenLog \"%1\"" Procmon64.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\DefaultIcon Procmon64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Procmon.exe\",0" Procmon64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1260 Procmon64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1260 Procmon64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1260 Procmon64.exe Token: SeLoadDriverPrivilege 1260 Procmon64.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1260 Procmon64.exe 1260 Procmon64.exe 1260 Procmon64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1260 4616 Procmon.exe 87 PID 4616 wrote to memory of 1260 4616 Procmon.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Procmon.exe"C:\Users\Admin\AppData\Local\Temp\Procmon.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe"C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\AppData\Local\Temp\Procmon.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56b3a6712990ed09dd166c281ec7bee30
SHA18a85f03252d045009ce0b90adaac537e17f89167
SHA256a1b8c40f6da56961081dfee34a252fc667d22c7a22f30269d51f3f409111e787
SHA512d1baa1f83ab6fc37d939d8db74ba825507e53dc9fc0fa07c5957fccdabc05cc50f66e0db85b54478805e5aef9e1a8f14b262a4b68f43c8a8b62a089dc7be6a44