Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

RUN ME FIRST.exe

windows10-2004-x64

7

RUN ME FIRST.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    45s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RUN ME FIRST.exe

  • Size

    24.2MB

  • MD5

    101b0b9f74cdc6cdbd2570bfe92e302c

  • SHA1

    2e6bae42c2842b4f558bd68099479b929bb7d910

  • SHA256

    4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f

  • SHA512

    ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506

  • SSDEEP

    786432:urp+Ty2SfUfnbu+zMFy/7zYgWXRLTArzttOaaFC:Sp+Ty2SfWnPzMFO7zYgWBLbFC

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 51 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe
    "C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\Temp\{49F2ABC4-385C-45A2-BED3-93A585156ED3}\.cr\RUN ME FIRST.exe
      "C:\Windows\Temp\{49F2ABC4-385C-45A2-BED3-93A585156ED3}\.cr\RUN ME FIRST.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe" -burn.filehandle.attached=536 -burn.filehandle.self=520
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\.be\VC_redist.x64.exe
        "C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{3C06B07D-0B27-4629-9D35-3A958111B95E} {EDB649A5-A828-427D-8327-7147A1A4148F} 1336
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
          "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=1016 -burn.embedded BurnPipe.{27CD5F28-ADF9-4AF9-A6E1-5A7B747FB7CD} {5D643F11-62E7-4031-B60C-3F6702F68C04} 4712
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
            "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=1016 -burn.embedded BurnPipe.{27CD5F28-ADF9-4AF9-A6E1-5A7B747FB7CD} {5D643F11-62E7-4031-B60C-3F6702F68C04} 4712
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4216
            • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
              "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{272B0526-3F48-43F7-A2D8-6D9620FCC12A} {37A43A36-2375-4902-AB2A-F75784398AFE} 4216
              6⤵
              • Modifies registry class
              PID:2896
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4452
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
      PID:4524
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e577583.rbs
      Filesize

      19KB

      MD5

      f3900cf7be9f3af1a5784c84a5628388

      SHA1

      e01d914738a74fc867f1a2a15c3deaad857906f8

      SHA256

      5a1d987f4932224276e1421eeeaa30c4840e600fc93f940eb637ab63922f5882

      SHA512

      c2d35a04a06e2cd3b5a36dbc6586856b7cbb96108544028bd439c761672345e89c0307740f67bab284ab2aeb970119f3ca7fa7f5e538f2b0d6f07948cebc840f

      Download Submit

    • C:\Config.Msi\e57758f.rbs
      Filesize

      19KB

      MD5

      0b58568c7d3d0e11772f5fa590a4628b

      SHA1

      307c270b23d417fcae29b8f1970ffee5ba984d78

      SHA256

      3c34e9b628713f77f929da8bfff466d6a4ff8f80d0191bb62b7b3ea59b2d80cb

      SHA512

      7b3a777f918b46554422cc0a3596bade61ddc78621c1c3cfcf8cf01fa8392ca84fdcb4d16f974da20e1238789659663b5a0038a85d6b1aa0d015cf26dd6d30cc

      Download Submit

    • C:\Config.Msi\e577596.rbs
      Filesize

      21KB

      MD5

      c4e7c86bb24f63d68b09d7d0e9386eec

      SHA1

      ac2cc450ce4b039747a181ce5667f7a2647078a6

      SHA256

      622bfd01fd8c1ff87ef62a97cc4bc30e593cb1da4fcc4f09d5fbcc947d5dfddf

      SHA512

      931f155e25892053a54b48e84a4479d6195d6d46d9e12252fa99e2179f2bf0846f66bc30082dd3010fa09a30ad202605ba98ca5ff5baa85e51c503da4315a5de

      Download Submit

    • C:\Config.Msi\e5775a5.rbs
      Filesize

      21KB

      MD5

      3a72f20823aded2453be17159ca43588

      SHA1

      c9d15485122a8c41accaffc777450a60744d850d

      SHA256

      f045f6a81f74c68a84366775b709d41a326da78ccd4c0b7d9afbabb59ef4eb30

      SHA512

      25d903ff8cf918868f6b9763ed9739bcbc4f3bcf013912b187486ed246c06a23e263cb6e3be122c0d393167f4b1f88b29b602ec63058dd6cc9b634037eadeb49

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240530000638_000_vcRuntimeMinimum_x64.log
      Filesize

      3KB

      MD5

      0b48e14ce7881ab7fc425e659c9218c6

      SHA1

      c9933c5317c2b35929bd1d248d2246459475d10e

      SHA256

      221e25214fe1b160a7986689ad5f541e6e980e34ffcf97455f30bc7e1ff51330

      SHA512

      49e9915dbcd1dea1dd3aa7b4b10b421670e62b542aa50dcffc53f7486b46bf4e5dfd5e885d8d19eba185ac1fc72a423cadd515d943f8dc83048c97bf7af60f33

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240530000638_001_vcRuntimeAdditional_x64.log
      Filesize

      2KB

      MD5

      0315c7ded250f241a56bfd23b5dc5e68

      SHA1

      bffce42e140dddf88744296781fce9b6328f1c1c

      SHA256

      9cf968ea74227fa77f310423a9d5ba3fc30f3a111d38fe499c48ef2424d2b5c0

      SHA512

      8fb3bc7511eee87edeaa4ac531faf0d5280125e5a5a5f9d43728e3c7eaa395789bef695b8ab8da7393ba25348a4f517c06689ba0ae14a21a12079ea2579b6b35

      Download Submit

    • C:\Windows\Temp\{49F2ABC4-385C-45A2-BED3-93A585156ED3}\.cr\RUN ME FIRST.exe
      Filesize

      635KB

      MD5

      53e9222bc438cbd8b7320f800bef2e78

      SHA1

      c4f295d8855b4b16c7450a4a9150eb95046f6390

      SHA256

      0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

      SHA512

      7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

      Download Submit

    • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
      Filesize

      5.4MB

      MD5

      e181a4fd7fc6a5a35d355efccb2c02d2

      SHA1

      762ded20d790e9342119f7578a4453ac512a0285

      SHA256

      e792f561821e193991fcc0c98038f0b0b905b0b0c67b55aaa1040d18652c6225

      SHA512

      8a8f04f5a044cfd126da9fafbdc86e74c7dc1624b241ed527e11bcdc389b8d9756c9fa6217b220e9aa49fb604285d8fb8c0dead91a7e456937e8b474000e32fe

      Download Submit

    • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\cab5046A8AB272BF37297BB7928664C9503
      Filesize

      958KB

      MD5

      b9c44fa1b63f24db5f63e4d5992428bc

      SHA1

      4b6b0db14c7444009b71a20cba406b27a03edaac

      SHA256

      dc862c89bccaeeb3b7ae04895377a6156dd81e0e1ff460b692f6cec51b865f4f

      SHA512

      0ce0612d528a237691d860c11a6f37555185871e80667a99ef23229496c87ddfeba13ef492eb330f3a75206e645e683617ff9d3b2a756d544af4d34ee8e3cd46

      Download Submit

    • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\vcRuntimeAdditional_x64
      Filesize

      188KB

      MD5

      ea980cf567e11691d1e4476eb46cf0b9

      SHA1

      a0520000ad102411c041fc44e333fa298e72b38f

      SHA256

      98c9604efcba36d02387a570ddf9697951fb8f625c5ce2471a2d4a573e962d23

      SHA512

      b07184932de406cc1df8ae3599d0418211f3b3f40711f743aa7534d06757794aa9f1b61f6b7fa85cd604f5e6eca7d08a04ec2d2c78c80fff5bdec2b772f5656d

      Download Submit

    • C:\Windows\Temp\{DCFA25CE-C8D0-43D3-A7B6-26CCA9DDFBA6}\vcRuntimeMinimum_x64
      Filesize

      188KB

      MD5

      cde169db3e6657e49a923413bec65774

      SHA1

      6c57b389c08a0a3bd3c8919c2b546fb9e1ea7003

      SHA256

      6cf659c5d73f2ce102b60a64f820f57d598efbfb1e1a0f393a5df7f11bbc35c3

      SHA512

      d32b32ec275ea7befe7c63977cd300887bc88460d56c4fb848447c87006ead29fdb41c60688186d18bfac6ff6f0c8a441d1fb91765a4fda93824d4b61a4ae627

      Download Submit

    • memory/2896-199-0x0000000000A70000-0x0000000000AE7000-memory.dmp

      Filesize

      476KB

      Download

    • memory/2924-237-0x0000000000A70000-0x0000000000AE7000-memory.dmp

      Filesize

      476KB

      Download

    • memory/4216-236-0x0000000000A70000-0x0000000000AE7000-memory.dmp

      Filesize

      476KB

      Download