Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

PI_20052024.exe

windows7-x64

8

PI_20052024.exe

windows10-2004-x64

8

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    138s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PI_20052024.exe

  • Size

    568KB

  • MD5

    e4370a31c71c37bde2e16022fa0459c2

  • SHA1

    10890db50f2aac0931eec94f45e012944efed869

  • SHA256

    49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436

  • SHA512

    1454935b456d4fc26b978fb4a38ec34ba673ba27ccc23c9d73328441cbdfd78baade7173eefbd2d51ffa42cd8e20697521d0128f4f08b1800293c613ac60d5af

  • SSDEEP

    12288:mH7MMIqb9BaBUbdD4aPHb2XR+MAghog0RdBBplW8Lmy:+7a69BWUhD3Ha+MPCXtlW8Lmy

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI_20052024.exe
    "C:\Users\Admin\AppData\Local\Temp\PI_20052024.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Gadgetries=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal';$Underpricing=$Gadgetries.SubString(522,3);.$Underpricing($Gadgetries)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:4092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 2744
          3⤵
          • Program crash
          PID:5088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4536 -ip 4536
      1⤵
        PID:3676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlonlbaf.2qc.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsi40D3.tmp\nsDialogs.dll
        Filesize

        9KB

        MD5

        1c8b2b40c642e8b5a5b3ff102796fb37

        SHA1

        3245f55afac50f775eb53fd6d14abb7fe523393d

        SHA256

        8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

        SHA512

        4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

        Download Submit

      • C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal
        Filesize

        50KB

        MD5

        197064b3c1ff1c585db3f2a0b7c2c44a

        SHA1

        f66e3acf12f2c5c120923519ec806c0eb3b40c6d

        SHA256

        c2a25450b4800c19f49a02faaf3d4d549c6ddef5c8632621fc69b3fe4c3efbd6

        SHA512

        4e17845a8a7dcd40e1aa929cd9ca9158b635aff3b2e188c28eb533c660eab6aef1ccd872c417c12b10127788e118ac17f5c6a2aad628a2de5596fe4cced58670

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnk
        Filesize

        910B

        MD5

        3574320d2c35e9614bc32e0c491af8c0

        SHA1

        834c3686673ad12a1f5e0b3e0005adbecd8b53c8

        SHA256

        16dd6000b6073fa3eb28a7f180ee4dd9a2125555d9c27d8d0f83ebcba53325a6

        SHA512

        fc5600ff51a211e617fc530323a68b0cb5ac25a955fe45f427782cedea86d0d3169ee822fa6e8cc5c1c42a4c7b0aeb3f55f12fc2f624338139f2d02e235f9197

        Download Submit

      • memory/4536-59-0x0000000074100000-0x00000000748B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4536-74-0x0000000006470000-0x00000000064BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4536-58-0x00000000055B0000-0x0000000005BD8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4536-60-0x0000000005490000-0x00000000054B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4536-61-0x0000000005D90000-0x0000000005DF6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4536-62-0x0000000005E00000-0x0000000005E66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4536-56-0x0000000004E90000-0x0000000004EC6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4536-72-0x0000000005E70000-0x00000000061C4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4536-73-0x0000000006450000-0x000000000646E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4536-57-0x0000000074100000-0x00000000748B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4536-75-0x0000000007430000-0x00000000074C6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4536-76-0x0000000006990000-0x00000000069AA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4536-77-0x00000000069E0000-0x0000000006A02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4536-78-0x0000000007A80000-0x0000000008024000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4536-55-0x000000007410E000-0x000000007410F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4536-80-0x00000000086B0000-0x0000000008D2A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4536-82-0x0000000074100000-0x00000000748B0000-memory.dmp

        Filesize

        7.7MB

        Download