Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

02361cd60f...b4.exe

windows7-x64

1

02361cd60f...b4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02361cd60f5298950adc950dff1a91b4.exe

  • Size

    498KB

  • MD5

    02361cd60f5298950adc950dff1a91b4

  • SHA1

    dc56996cea0a4599f376111267f3b688f1e30362

  • SHA256

    2426ae0a0e63fa1102ab84b0fa0ccb98c15546c6778512608c8e0ce06c73b71a

  • SHA512

    563ec30e190ad988402128583cb2d642e0440e89eb286d44e62fb2a93d77a2c3430900515ff0fd0c2d007cc510dd10d3e933bbd7cc8141823abe39e58c62d88e

  • SSDEEP

    12288:V+XGr3PS5oHUeJjF1dBzk27QRQ62e2p2iR9sadpHr1+XLiZ9g:l/HUUb7AQPRiCp

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 3 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\02361cd60f5298950adc950dff1a91b4.exe
    "C:\Users\Admin\AppData\Local\Temp\02361cd60f5298950adc950dff1a91b4.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\ChaosNukerV1.exe
      "C:\Users\Admin\AppData\Local\Temp\ChaosNukerV1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:516
    • C:\Users\Admin\AppData\Local\Temp\TaskSTR.exe
      "C:\Users\Admin\AppData\Local\Temp\TaskSTR.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Maps connected drives based on registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Service" /tr "C:\ProgramData\Service.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2492
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4088
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4004
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3772
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4272 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2040
    • C:\ProgramData\Service.exe
      C:\ProgramData\Service.exe
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3080
    • C:\ProgramData\Service.exe
      C:\ProgramData\Service.exe
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2356

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Service.exe.log
      Filesize

      871B

      MD5

      386677f585908a33791517dfc2317f88

      SHA1

      2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

      SHA256

      7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

      SHA512

      876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ChaosNukerV1.exe
      Filesize

      14KB

      MD5

      3a64e5539d5946623ac7da9c4f4e08e7

      SHA1

      513d8bc28743734af9ea9172b7640e6390e68b54

      SHA256

      398b2fd80e4455e3e6d857543e1bc3499db3c96dffd1e0cb2faa0f9648444859

      SHA512

      8af1c81ad7523270598cf9bf07e8036e5c7e939d24178c5a852b792b3148cd6d6c764e47add3760ba008cc55396e55259a0d7005d27e5bd099ae44892f4240f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
      Filesize

      685KB

      MD5

      081d9558bbb7adce142da153b2d5577a

      SHA1

      7d0ad03fbda1c24f883116b940717e596073ae96

      SHA256

      b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

      SHA512

      2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TaskSTR.exe
      Filesize

      153KB

      MD5

      e4bbd1935c65a610e0089a68becd2127

      SHA1

      03ae50ba32bf10990b290c65fd69ca4d69fe0412

      SHA256

      0be4845dad077a22d1b4d950de7c563163cb2f8775417e48a7e4af9c6a39e4b4

      SHA512

      e00b90294126342c69a8dd4ea6bc8bf4c845c4e9962f30742e67057698838a45c7f84c51221cc4d812066a333e6502f912f2f106b982c21bc61476603a82ffba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Veylib.dll
      Filesize

      70KB

      MD5

      3552d418ce6394cdd9fc0fb06b883013

      SHA1

      52bbcb19cd100abbd261a4b4204dcec8c60e9646

      SHA256

      0a87fede388ea48d2f21452058a40982a46d1601f9f7c6b1080b983078a59742

      SHA512

      57d05e1f6c17efb54b5e5a8dc62b6a872b4fe7cb77c8f5f40a355a609b441cab615942961be006a7226486e41797669e309b34354d6d81d7a950a0459ab868ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\lithiumcore.dll
      Filesize

      41KB

      MD5

      ff93596f8eb7ef75a0e94085c2422d20

      SHA1

      2de236113b35c78182df3a458e97ccf484c48e94

      SHA256

      7f9a09ba18809a01e3396e57caa7495c6f8c282403acb76fd9bfcef30f4651d3

      SHA512

      3417d8f28bdd220555d42ee588aefe8a0710a897ba4cee731c394335612b58ef015a466219818ae22cd48ab366e40fd89640a7ac230d3a020eea277d0bd046da

      Download Submit

    • memory/516-62-0x00000000009B0000-0x00000000009BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/516-66-0x0000000002E60000-0x0000000002E78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/516-67-0x0000000005380000-0x0000000005412000-memory.dmp

      Filesize

      584KB

      Download

    • memory/516-71-0x0000000005340000-0x0000000005350000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3708-0-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3708-3-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3708-2-0x0000000002110000-0x000000000217E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/3708-58-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3708-1-0x0000000000020000-0x00000000000A6000-memory.dmp

      Filesize

      536KB

      Download

    • memory/4560-57-0x0000000000180000-0x00000000001B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4560-59-0x0000000002210000-0x0000000002216000-memory.dmp

      Filesize

      24KB

      Download