Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

28/04/2024, 19:57

240428-ypq4cafg35 8

28/04/2024, 19:57

240428-yn71gaff99 8

Analysis

  • max time kernel
    12s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 19:57

General

  • Target

    Procmon.exe

  • Size

    5.0MB

  • MD5

    2804ca9fc56e6c600418e1616ab2335d

  • SHA1

    ae4065ebf9b038be275efbff56793d1f4e77b79c

  • SHA256

    cfac057c0c811caa0ffa8581b7e7e7a2b1c6f3ce8a2ec1d05151a0a2b7dd173e

  • SHA512

    23b68a92c15c670ac627937c769d2a6ce0b8a17dc02f9bbc2a42df3aebb8314968c04864928ebf87df8dd37408e5d71ccab594e0212048badd11a671c29de329

  • SSDEEP

    98304:JLHG9k71Z7cxhVaSR+i5y1xn7j55y1NwHBdzYu8Y/IqRfNocBjsP70wAdlHBdzYB:JL+A1FjntHBjXeDAdlHBj

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Procmon.exe
    "C:\Users\Admin\AppData\Local\Temp\Procmon.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
      "C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\AppData\Local\Temp\Procmon.exe"
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Procmon64.exe

    Filesize

    2.6MB

    MD5

    6b3a6712990ed09dd166c281ec7bee30

    SHA1

    8a85f03252d045009ce0b90adaac537e17f89167

    SHA256

    a1b8c40f6da56961081dfee34a252fc667d22c7a22f30269d51f3f409111e787

    SHA512

    d1baa1f83ab6fc37d939d8db74ba825507e53dc9fc0fa07c5957fccdabc05cc50f66e0db85b54478805e5aef9e1a8f14b262a4b68f43c8a8b62a089dc7be6a44

  • memory/1260-58-0x00007FFEC9E80000-0x00007FFEC9E90000-memory.dmp

    Filesize

    64KB

  • memory/1260-59-0x00007FFEC9E80000-0x00007FFEC9E90000-memory.dmp

    Filesize

    64KB