Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 01:19

General

  • Target

    6c23d186a8ad288a8d3bedb26ac3351d4dd8350b84acbaa163afd30d561dc220.exe

  • Size

    1.9MB

  • MD5

    1e4ab972a4f5977387011437c4dbe618

  • SHA1

    a7c033be7d29c03c4d617d6268637341a827f12b

  • SHA256

    6c23d186a8ad288a8d3bedb26ac3351d4dd8350b84acbaa163afd30d561dc220

  • SHA512

    bb4e5c26bc68007b343974e9e6687c3b51613b191b4a6f58a9ceec8ffb4ed2fca2e6172b3f601ec5bd94a540846c12348811ab6eefdf046973209b54abbcdecc

  • SSDEEP

    24576:GkXbZMzUN+ZysTspK8kCBHcdjW1kMrLbgBwnRTvOksAhyTDc/VkTJSML2crAM0aI:jskL1LrLb52kmTD6oJSsrAMgduf8hMs

Score
9/10

Malware Config

Signatures

  • Detects executables packed with unregistered version of .NET Reactor 2 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c23d186a8ad288a8d3bedb26ac3351d4dd8350b84acbaa163afd30d561dc220.exe
    "C:\Users\Admin\AppData\Local\Temp\6c23d186a8ad288a8d3bedb26ac3351d4dd8350b84acbaa163afd30d561dc220.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvi2BLkcFq.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1284
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:5020
          • C:\Program Files\Windows Mail\fontdrvhost.exe
            "C:\Program Files\Windows Mail\fontdrvhost.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Y7WGTL1T5.bat"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2108
              • C:\Windows\system32\chcp.com
                chcp 65001
                5⤵
                  PID:2160
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  5⤵
                    PID:4780
                  • C:\Program Files\Windows Mail\fontdrvhost.exe
                    "C:\Program Files\Windows Mail\fontdrvhost.exe"
                    5⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3968
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5tk1CddJ7G.bat"
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1688
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        7⤵
                          PID:1952
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          7⤵
                          • Runs ping.exe
                          PID:3616
                        • C:\Program Files\Windows Mail\fontdrvhost.exe
                          "C:\Program Files\Windows Mail\fontdrvhost.exe"
                          7⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4704
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat"
                            8⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3684
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              9⤵
                                PID:2704
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                9⤵
                                  PID:952
                                • C:\Program Files\Windows Mail\fontdrvhost.exe
                                  "C:\Program Files\Windows Mail\fontdrvhost.exe"
                                  9⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4756
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat"
                                    10⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3776
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      11⤵
                                        PID:3412
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        11⤵
                                          PID:4328
                                        • C:\Program Files\Windows Mail\fontdrvhost.exe
                                          "C:\Program Files\Windows Mail\fontdrvhost.exe"
                                          11⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3252
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
                      1⤵
                        PID:664

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

                        Filesize

                        1KB

                        MD5

                        72a4a3e4a8aa2ad5e3530c6316af57f4

                        SHA1

                        e3c63c14317630caa5a3b212012bda8204c4c6eb

                        SHA256

                        33d4d20cd8d41637725c42083a684731c340cd4166bb5872d1335f8a3408f829

                        SHA512

                        f85f1a249295fead9bc279b2ca4d53dfce8ad4cc1b79c667228c734713f0299cd3241abac3a185ae4bbc3838e1075ee7beafb50737efb69af96e033157bfb6da

                      • C:\Users\Admin\AppData\Local\Temp\5tk1CddJ7G.bat

                        Filesize

                        173B

                        MD5

                        2e0c1b69ead1fdade2bf47a34e21ee6c

                        SHA1

                        2b17fb0a9cdd88ed48fd72bcc3769b70cab29db8

                        SHA256

                        fa9a3c534aa2e8fee77d053bf3530549aaad6b03a0690a28f63c822d94e3f9cc

                        SHA512

                        98ea599186940bb2a13d1513a7cd17905ce90ef301d753db8b772b124b2ac1874d2f1eec8112ec1fe769ce45fcda25ae54ff2a745b1286747776d700c55d9dc3

                      • C:\Users\Admin\AppData\Local\Temp\6Y7WGTL1T5.bat

                        Filesize

                        221B

                        MD5

                        62c9c852e704fe487a2b4006ac74a708

                        SHA1

                        7189a59d81778219b80f5faf5303e0920358daeb

                        SHA256

                        9d7be3d82efb8c5f3089cd47b751e36dc5563af6e3b9773286b3f71adfcb42ca

                        SHA512

                        549da09e57b1d150073083ce0a6865413e223740e9e460358c0f8ad767a2c16573672ebb9d8aefda4fa218979a2cfd776057ceba50e57c1fbb57cd9b3fe9bbf9

                      • C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat

                        Filesize

                        221B

                        MD5

                        4254ce9ea288239e5261912e2d24332e

                        SHA1

                        59d66373d2cf9ebeecb3edd0055a9decb9b9cd86

                        SHA256

                        58df3132d02c5bba225dc41f3df4ab50a5764436604f9378b3d64bb95a37d659

                        SHA512

                        67ffa00d11c9fff084f8f1ab6225cd54f720c3fc57a6a09a9a7721c56e7ed3ca4c1933da124182959b7a31b1fc32654eae6d0bbd901b1819b9e8470ae1e6cd1f

                      • C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat

                        Filesize

                        221B

                        MD5

                        fcc0c3c18256ee6b9e914f560ebfe774

                        SHA1

                        34054898cbfde2e9cefa3a10e333d662c808b481

                        SHA256

                        1c51b579842589a111cff4f34d70362dc99296448f3a16d21371b1b3d44c5172

                        SHA512

                        5de893691b4553afb1191c104cc943bdb28e5ebbca7f8510eea54d33da7a7651fc8b12f191a24c3810ee05049a4c2b3231e33083cb07465d58e717254772ef3b

                      • C:\Users\Admin\AppData\Local\Temp\yvi2BLkcFq.bat

                        Filesize

                        221B

                        MD5

                        05df9e266b0a86b2e722ca6159895f4d

                        SHA1

                        8996dc2514c73368a9c62ef62b512666a5bc95dc

                        SHA256

                        79fe8785ca557536797903488078c22941fff91937026777578ac39102a4ba26

                        SHA512

                        dcb5af81c9d2e59a23aadb178d777de30b7216c1ef8795d87fbc08840131d46537a565d25a451e71072e15ae7e68b8425a929e39456acace3cdd8661203e437b

                      • C:\Users\Default\lsass.exe

                        Filesize

                        1.9MB

                        MD5

                        1e4ab972a4f5977387011437c4dbe618

                        SHA1

                        a7c033be7d29c03c4d617d6268637341a827f12b

                        SHA256

                        6c23d186a8ad288a8d3bedb26ac3351d4dd8350b84acbaa163afd30d561dc220

                        SHA512

                        bb4e5c26bc68007b343974e9e6687c3b51613b191b4a6f58a9ceec8ffb4ed2fca2e6172b3f601ec5bd94a540846c12348811ab6eefdf046973209b54abbcdecc

                      • memory/1012-57-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1012-50-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/1012-44-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-8-0x00000000026A0000-0x00000000026F0000-memory.dmp

                        Filesize

                        320KB

                      • memory/4616-14-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-16-0x0000000002640000-0x0000000002652000-memory.dmp

                        Filesize

                        72KB

                      • memory/4616-17-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-18-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-19-0x000000001C120000-0x000000001C648000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/4616-20-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-22-0x0000000002660000-0x0000000002678000-memory.dmp

                        Filesize

                        96KB

                      • memory/4616-23-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-13-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

                        Filesize

                        56KB

                      • memory/4616-39-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-11-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

                        Filesize

                        56KB

                      • memory/4616-9-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-0-0x00007FFAE92C3000-0x00007FFAE92C5000-memory.dmp

                        Filesize

                        8KB

                      • memory/4616-7-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-6-0x0000000002600000-0x000000000261C000-memory.dmp

                        Filesize

                        112KB

                      • memory/4616-4-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-3-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-2-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4616-1-0x00000000002F0000-0x00000000004DE000-memory.dmp

                        Filesize

                        1.9MB