Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15/05/2024, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
Plasmafree.exe
Resource
win10-20240404-en
General
-
Target
Plasmafree.exe
-
Size
178KB
-
MD5
0d1368d0484c1573ec6857030574d70f
-
SHA1
fd7014f7a6d73ceba42ef00ab24688f8a5a6a926
-
SHA256
92ec2793e76d7834e682a9bcc75a82642276105c1e40ca94367f89d712c1168e
-
SHA512
21a6fb81a4987b5e53f2d1482a9421c08e8622814cbb0ca591136673f22d3deec8b066332828533092f9f0903197ff0fb35a642d2ded1495be7455fad473d5eb
-
SSDEEP
3072:XepGBwJFv7mTWtLlitV8zD7/+JOS9kfUYan7Rb4zFdsMONp6gKPqY:WYEDm8liT8f7/SOSS+b44NMg8q
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Plasmafree.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Plasmafree.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Plasmafree.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Plasmafree.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Plasmafree.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Plasmafree.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2924 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2924 taskmgr.exe Token: SeSystemProfilePrivilege 2924 taskmgr.exe Token: SeCreateGlobalPrivilege 2924 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Plasmafree.exe"C:\Users\Admin\AppData\Local\Temp\Plasmafree.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:3604
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2924
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2300