Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 01:58
Static task
static1
Behavioral task
behavioral1
Sample
followersbot.exe
Resource
win10v2004-20240226-en
General
-
Target
followersbot.exe
-
Size
29.8MB
-
MD5
1d8e95b4a436b4dd8e00eb84cf225246
-
SHA1
25f0654c804e56279a2f4e03fd940584a3db082f
-
SHA256
773a273b2c81ea4a0f308de30d377850b309a261a86418f580ec406d8e86f692
-
SHA512
43f43002d5e4d56b9902f45814b6b8735b4b62bab4a50199105784ac00f48fca0ae0564cbc1ebac1a5965745ab0a4d3144bb143d6bebd417f972d30e47ace514
-
SSDEEP
786432:1Q7YWt1MOSmwvIUciBDtfhuLhAzvlWOkzrLC+fA/I/AUbbZCaTAQ:1QJMOS1v7c2fuhoqviI/xbbZCap
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1372 powershell.exe 3416 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1268 taskmgr.exe 1268 taskmgr.exe 5000 conhost.exe 1372 powershell.exe 1372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1268 taskmgr.exe Token: SeSystemProfilePrivilege 1268 taskmgr.exe Token: SeCreateGlobalPrivilege 1268 taskmgr.exe Token: SeDebugPrivilege 5000 conhost.exe Token: SeDebugPrivilege 1372 powershell.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe 1268 taskmgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3572 wrote to memory of 5000 3572 followersbot.exe 92 PID 3572 wrote to memory of 5000 3572 followersbot.exe 92 PID 3572 wrote to memory of 5000 3572 followersbot.exe 92 PID 5000 wrote to memory of 4172 5000 conhost.exe 93 PID 5000 wrote to memory of 4172 5000 conhost.exe 93 PID 4172 wrote to memory of 1372 4172 cmd.exe 95 PID 4172 wrote to memory of 1372 4172 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\followersbot.exe"C:\Users\Admin\AppData\Local\Temp\followersbot.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\followersbot.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"4⤵
- Command and Scripting Interpreter: PowerShell
PID:3416
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"3⤵PID:2168
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Creates scheduled task(s)
PID:4812
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82