Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/05/2024, 23:00

General

  • Target

    Plasmafree.exe

  • Size

    178KB

  • MD5

    0d1368d0484c1573ec6857030574d70f

  • SHA1

    fd7014f7a6d73ceba42ef00ab24688f8a5a6a926

  • SHA256

    92ec2793e76d7834e682a9bcc75a82642276105c1e40ca94367f89d712c1168e

  • SHA512

    21a6fb81a4987b5e53f2d1482a9421c08e8622814cbb0ca591136673f22d3deec8b066332828533092f9f0903197ff0fb35a642d2ded1495be7455fad473d5eb

  • SSDEEP

    3072:XepGBwJFv7mTWtLlitV8zD7/+JOS9kfUYan7Rb4zFdsMONp6gKPqY:WYEDm8liT8f7/SOSS+b44NMg8q

Score
9/10

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Plasmafree.exe
    "C:\Users\Admin\AppData\Local\Temp\Plasmafree.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    PID:3604
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2924
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3604-0-0x00000000732FE000-0x00000000732FF000-memory.dmp

      Filesize

      4KB

    • memory/3604-1-0x0000000000070000-0x00000000000A8000-memory.dmp

      Filesize

      224KB

    • memory/3604-2-0x0000000000860000-0x0000000000866000-memory.dmp

      Filesize

      24KB

    • memory/3604-3-0x00000000732F0000-0x00000000739DE000-memory.dmp

      Filesize

      6.9MB

    • memory/3604-4-0x0000000004AB0000-0x0000000004B16000-memory.dmp

      Filesize

      408KB

    • memory/3604-6-0x0000000005020000-0x000000000551E000-memory.dmp

      Filesize

      5.0MB

    • memory/3604-7-0x00000000732F0000-0x00000000739DE000-memory.dmp

      Filesize

      6.9MB