Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

ProcessMonitor.zip

windows10-2004-x64

8

Resubmissions

28/04/2024, 19:57

240428-ypq4cafg35 8

28/04/2024, 19:57

240428-yn71gaff99 8

Analysis

  • max time kernel
    140s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ProcessMonitor.zip

  • Size

    3.3MB

  • MD5

    3ef2eedf8139b1f51d9561fd8f9fee9a

  • SHA1

    e6769c1ec6d7367a450e304d554470bb0413900f

  • SHA256

    b556dcac41dc01f7310936fbd57d202eaecd00ff580398957b7125fd404728ae

  • SHA512

    4b1479914fdcddc94846ab6cde66976a61a04f8475e59970cb24b5583c40997d9f19eba81016ef69297d87779bb333b9f6d34357b9fdbfdb39448a1a85b36f00

  • SSDEEP

    98304:K6FoCGKZsQnafN/FqpbX/893Sxv8RE/6DdHrloE55PHAKZo:K6FnG4syes9/88xvh6hHrKE55IKu

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies registry class 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ProcessMonitor.zip
    1⤵
      PID:3544
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4112
      • C:\Users\Admin\Desktop\New folder\Procmon.exe
        "C:\Users\Admin\Desktop\New folder\Procmon.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
          "C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\Desktop\New folder\Procmon.exe"
          2⤵
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1260
      • C:\Users\Admin\Desktop\New folder\Procmon64.exe
        "C:\Users\Admin\Desktop\New folder\Procmon64.exe"
        1⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:228
      • C:\Users\Admin\Desktop\New folder\Procmon.exe
        "C:\Users\Admin\Desktop\New folder\Procmon.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
          "C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\Desktop\New folder\Procmon.exe"
          2⤵
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3896

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
        Filesize

        2.6MB

        MD5

        6b3a6712990ed09dd166c281ec7bee30

        SHA1

        8a85f03252d045009ce0b90adaac537e17f89167

        SHA256

        a1b8c40f6da56961081dfee34a252fc667d22c7a22f30269d51f3f409111e787

        SHA512

        d1baa1f83ab6fc37d939d8db74ba825507e53dc9fc0fa07c5957fccdabc05cc50f66e0db85b54478805e5aef9e1a8f14b262a4b68f43c8a8b62a089dc7be6a44

        Download Submit

      • memory/228-63-0x00007FFF7EF30000-0x00007FFF7EF40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/228-64-0x00007FFF7EF30000-0x00007FFF7EF40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1260-59-0x00007FFF7EF30000-0x00007FFF7EF40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1260-60-0x00007FFF7EF30000-0x00007FFF7EF40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3896-125-0x00007FFF7EF30000-0x00007FFF7EF40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3896-126-0x00007FFF7EF30000-0x00007FFF7EF40000-memory.dmp

        Filesize

        64KB

        Download