Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

1tv.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    40s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    15/05/2024, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1tv.exe

  • Size

    1.6MB

  • MD5

    22537b9fa99f827c065121d45c19dd20

  • SHA1

    cde009abfb08f56aadb21b0bf52a87db1d0863dc

  • SHA256

    6f77293636e77289f03d7ce172299a54af46b3e671189bf09050e9b4957f509e

  • SHA512

    74516d380796018dceb7b5d1dbc25198a17116ddc32e8af1d4631d666a79dfc0c6bb5b2513ee2aff13763050c8088f95d4234ce5274335e9d0476cb9e5f45a42

  • SSDEEP

    24576:s7FUDowAyrTVE3U5F/agB2Kic6QL3E2vVsjECUAQT45deRV9R5:sBuZrEUZ2KIy029s4C1eH9T

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1tv.exe
    "C:\Users\Admin\AppData\Local\Temp\1tv.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\is-6G2JQ.tmp\1tv.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6G2JQ.tmp\1tv.tmp" /SL5="$7016E,843248,832512,C:\Users\Admin\AppData\Local\Temp\1tv.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Program Files (x86)\1TV Armenia\DesktopApp.exe
        "C:\Program Files (x86)\1TV Armenia\DesktopApp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c start /min "" powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4044
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:844
            • C:\Users\Public\Downloads\update.exe
              "C:\Users\Public\Downloads\update.exe"
              6⤵
              • Executes dropped EXE
              PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\1TV Armenia\DesktopApp.exe
    Filesize

    37KB

    MD5

    cb102843884c22b910c6dd65064bf439

    SHA1

    7800cff6dc85b9bbd90739fe401f541ff92e3afc

    SHA256

    6f28bbd26bf2bd5a55589f76e959cf4cf776b905547610e3465b707d5af952f2

    SHA512

    7fccad2a83420b47cfa528f624c75755ba5b46ec05f831330ca9601652a6f6eed8fc32b9c16c4f6b9fccfa60b79178f7348c93373cb769739c6eef0497a2d70f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0542j5t.yc1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-6G2JQ.tmp\1tv.tmp
    Filesize

    3.1MB

    MD5

    9af23504e36377f03c87c5c0ae66d2ff

    SHA1

    e244a3e50ef02894f28ac3105c101ac78f0fdfd2

    SHA256

    5e5c7042fca0d2bb26b5658c24d461a819621d3b2bccfc5098d4f25cdf78f987

    SHA512

    84ae091bce3703b958c4b2b36345fb9b0f0a093120477cffd4b6ee363b37ed41c8978ec9434b343480d4f485dbe7901980a554ac27f2bea6bde41a1bf3d19122

    Download Submit

  • C:\Users\Public\Downloads\update.exe
    Filesize

    8KB

    MD5

    561b319f46bb65adecb296d4a8f4ca44

    SHA1

    8ba92fcb3fb640db77513eaa441a0a4734d63328

    SHA256

    c39ded5e92578f51c308648c6d06cd24e2fcd3b578cb1cb699769d76cc2b5e38

    SHA512

    52120e0664a792f373718ea0caeb8f5e1f07f4305c1781619f995d28934e85af1aae940474464b85259fa0de2caf587487b3bc56692c092f4f4e98419511f404

    Download Submit

  • C:\Users\Public\Downloads\updater.ps1
    Filesize

    11KB

    MD5

    58b24359fefad9665efcd620bd796f3a

    SHA1

    5da572147944cf7382abbf942e3ebcfa08b92ab6

    SHA256

    af25880f029a1c21e23808a5b344cb6c3fc44c4dc3cd1fc26990e880b1e8f026

    SHA512

    addfc555137bb84fab6662ae56707c13b9b0287caf58a49e9ab94566d3904cae2e70f92056261b127300090abc76fb4e32bb4665c1ad710e47789239eeaef5a7

    Download Submit

  • memory/844-32-0x0000000005240000-0x0000000005868000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/844-50-0x0000000007180000-0x0000000007216000-memory.dmp

    Filesize

    600KB

    Download

  • memory/844-53-0x00000000077D0000-0x0000000007D74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/844-52-0x0000000006540000-0x0000000006562000-memory.dmp

    Filesize

    136KB

    Download

  • memory/844-51-0x00000000064F0000-0x000000000650A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/844-47-0x0000000006040000-0x000000000608C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/844-31-0x0000000004A50000-0x0000000004A86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/844-46-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/844-33-0x0000000005090000-0x00000000050B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/844-35-0x00000000058E0000-0x0000000005946000-memory.dmp

    Filesize

    408KB

    Download

  • memory/844-34-0x0000000005870000-0x00000000058D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/844-41-0x0000000005950000-0x0000000005CA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1632-6-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1632-9-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1632-25-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3156-8-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3156-0-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3156-26-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3156-2-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

    Download

  • memory/3596-23-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3596-22-0x0000000073D5E000-0x0000000073D5F000-memory.dmp

    Filesize

    4KB

    Download