Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 22:15
Static task
static1
Behavioral task
behavioral1
Sample
Laun4er!_PSWRD----1889.7z
Resource
win7-20231129-en
General
-
Target
Laun4er!_PSWRD----1889.7z
-
Size
9.0MB
-
MD5
5fa7a701e0a05313ae1b40102ede0389
-
SHA1
2960cba4ef1a0fde8f8dea5b317d35ef1ec63fea
-
SHA256
f1c2c0985ce7dc4ec3e51dc52ca5af913b3177dab18b6a2f9fefb7f1a0a5c7bc
-
SHA512
83a2ed56044f5fb7f1bcbdfb747363455e42aab970f700bdc56e7434cbc5644e14c953ff5b6392d04402f68d22d312729f2fea17d042e8aae46807932c9ab660
-
SSDEEP
196608:0rMa/IGuTieVXUtPs5iO/zMp1WzNDuMYZsNZST:JNXqk53MqzhutZX
Malware Config
Extracted
lumma
https://templecharteredowis.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3600 Setupx32_x64.exe 2284 Setupx32_x64.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3600 set thread context of 2672 3600 Setupx32_x64.exe 120 PID 2284 set thread context of 4528 2284 Setupx32_x64.exe 122 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3280 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 3280 7zFM.exe Token: 35 3280 7zFM.exe Token: SeSecurityPrivilege 3280 7zFM.exe Token: SeDebugPrivilege 2036 taskmgr.exe Token: SeSystemProfilePrivilege 2036 taskmgr.exe Token: SeCreateGlobalPrivilege 2036 taskmgr.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 3280 7zFM.exe 3280 7zFM.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 376 OpenWith.exe 1540 OpenWith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3600 wrote to memory of 2672 3600 Setupx32_x64.exe 120 PID 3600 wrote to memory of 2672 3600 Setupx32_x64.exe 120 PID 3600 wrote to memory of 2672 3600 Setupx32_x64.exe 120 PID 3600 wrote to memory of 2672 3600 Setupx32_x64.exe 120 PID 3600 wrote to memory of 2672 3600 Setupx32_x64.exe 120 PID 2284 wrote to memory of 4528 2284 Setupx32_x64.exe 122 PID 2284 wrote to memory of 4528 2284 Setupx32_x64.exe 122 PID 2284 wrote to memory of 4528 2284 Setupx32_x64.exe 122 PID 2284 wrote to memory of 4528 2284 Setupx32_x64.exe 122 PID 2284 wrote to memory of 4528 2284 Setupx32_x64.exe 122
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Laun4er!_PSWRD----1889.7z1⤵
- Modifies registry class
PID:1748
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:376
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2052
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1540
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Laun4er!_PSWRD----1889.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3280
-
C:\Users\Admin\Desktop\Setupx32_x64.exe"C:\Users\Admin\Desktop\Setupx32_x64.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:2672
-
-
C:\Users\Admin\Desktop\Setupx32_x64.exe"C:\Users\Admin\Desktop\Setupx32_x64.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:4528
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.4MB
MD58ce7fffb29a8565b53d58971af37c3b9
SHA1355ce0ec9e33d58661f3e60052a715c165d8c54a
SHA2568489316aa7ddfdfa2bdb72b0d1756a01dadd2d23a702c3386056335c3995469e
SHA512361a9280dc5e555868ce856a136717cd405fadf8373f2ac595ffbb1c608ff7cc2824a0e1407f2a22762326848d8f6da67fbdf8106617955e759c1a760d23d94a