Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240508-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
15/05/2024, 13:49
Static task
static1
General
-
Target
1tv.exe
-
Size
1.6MB
-
MD5
22537b9fa99f827c065121d45c19dd20
-
SHA1
cde009abfb08f56aadb21b0bf52a87db1d0863dc
-
SHA256
6f77293636e77289f03d7ce172299a54af46b3e671189bf09050e9b4957f509e
-
SHA512
74516d380796018dceb7b5d1dbc25198a17116ddc32e8af1d4631d666a79dfc0c6bb5b2513ee2aff13763050c8088f95d4234ce5274335e9d0476cb9e5f45a42
-
SSDEEP
24576:s7FUDowAyrTVE3U5F/agB2Kic6QL3E2vVsjECUAQT45deRV9R5:sBuZrEUZ2KIy029s4C1eH9T
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 844 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 1632 1tv.tmp 3596 DesktopApp.exe 4748 update.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\1TV Armenia\DesktopApp.exe 1tv.tmp File created C:\Program Files (x86)\1TV Armenia\unins000.dat 1tv.tmp File created C:\Program Files (x86)\1TV Armenia\is-43B6I.tmp 1tv.tmp File created C:\Program Files (x86)\1TV Armenia\is-RU8JV.tmp 1tv.tmp File opened for modification C:\Program Files (x86)\1TV Armenia\unins000.dat 1tv.tmp File opened for modification C:\Program Files (x86)\1TV Armenia\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1632 1tv.tmp 1632 1tv.tmp 844 powershell.exe 844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 844 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1632 1tv.tmp -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3156 wrote to memory of 1632 3156 1tv.exe 83 PID 3156 wrote to memory of 1632 3156 1tv.exe 83 PID 3156 wrote to memory of 1632 3156 1tv.exe 83 PID 1632 wrote to memory of 3596 1632 1tv.tmp 88 PID 1632 wrote to memory of 3596 1632 1tv.tmp 88 PID 1632 wrote to memory of 3596 1632 1tv.tmp 88 PID 3596 wrote to memory of 4044 3596 DesktopApp.exe 92 PID 3596 wrote to memory of 4044 3596 DesktopApp.exe 92 PID 3596 wrote to memory of 4044 3596 DesktopApp.exe 92 PID 4044 wrote to memory of 844 4044 cmd.exe 94 PID 4044 wrote to memory of 844 4044 cmd.exe 94 PID 4044 wrote to memory of 844 4044 cmd.exe 94 PID 844 wrote to memory of 4748 844 powershell.exe 96 PID 844 wrote to memory of 4748 844 powershell.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1tv.exe"C:\Users\Admin\AppData\Local\Temp\1tv.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\is-6G2JQ.tmp\1tv.tmp"C:\Users\Admin\AppData\Local\Temp\is-6G2JQ.tmp\1tv.tmp" /SL5="$7016E,843248,832512,C:\Users\Admin\AppData\Local\Temp\1tv.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Program Files (x86)\1TV Armenia\DesktopApp.exe"C:\Program Files (x86)\1TV Armenia\DesktopApp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start /min "" powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps14⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps15⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Public\Downloads\update.exe"C:\Users\Public\Downloads\update.exe"6⤵
- Executes dropped EXE
PID:4748
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5cb102843884c22b910c6dd65064bf439
SHA17800cff6dc85b9bbd90739fe401f541ff92e3afc
SHA2566f28bbd26bf2bd5a55589f76e959cf4cf776b905547610e3465b707d5af952f2
SHA5127fccad2a83420b47cfa528f624c75755ba5b46ec05f831330ca9601652a6f6eed8fc32b9c16c4f6b9fccfa60b79178f7348c93373cb769739c6eef0497a2d70f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD59af23504e36377f03c87c5c0ae66d2ff
SHA1e244a3e50ef02894f28ac3105c101ac78f0fdfd2
SHA2565e5c7042fca0d2bb26b5658c24d461a819621d3b2bccfc5098d4f25cdf78f987
SHA51284ae091bce3703b958c4b2b36345fb9b0f0a093120477cffd4b6ee363b37ed41c8978ec9434b343480d4f485dbe7901980a554ac27f2bea6bde41a1bf3d19122
-
Filesize
8KB
MD5561b319f46bb65adecb296d4a8f4ca44
SHA18ba92fcb3fb640db77513eaa441a0a4734d63328
SHA256c39ded5e92578f51c308648c6d06cd24e2fcd3b578cb1cb699769d76cc2b5e38
SHA51252120e0664a792f373718ea0caeb8f5e1f07f4305c1781619f995d28934e85af1aae940474464b85259fa0de2caf587487b3bc56692c092f4f4e98419511f404
-
Filesize
11KB
MD558b24359fefad9665efcd620bd796f3a
SHA15da572147944cf7382abbf942e3ebcfa08b92ab6
SHA256af25880f029a1c21e23808a5b344cb6c3fc44c4dc3cd1fc26990e880b1e8f026
SHA512addfc555137bb84fab6662ae56707c13b9b0287caf58a49e9ab94566d3904cae2e70f92056261b127300090abc76fb4e32bb4665c1ad710e47789239eeaef5a7