Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    65s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 08:01

General

  • Target

    FRST64.exe

  • Size

    2.3MB

  • MD5

    42f626b952be10e6f0826631431fc2dd

  • SHA1

    c0f1ba2f53ea222581be47b6a1ca3f2efe9e7507

  • SHA256

    741fc8882114d576c049e5a0e830282ae99b39df35cb5a090bf0e8f4b5ddb353

  • SHA512

    9571e11f179b928ea41c7c24512ae6536154dca42eb32d658ae55a0a49956b42933f23c0860f9f58cd1e57f08421becbd8d6107b9afd55da41b3c80e20a640df

  • SSDEEP

    49152:o2EYTb8atv1orq+pEiSDTj1VyvBaj3jnE/ImdPFRgiYhFE94Ik0ZD5FJ9X+:tXbIrqtnDmdPFRTY73IRZD5FLX

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies boot configuration data using bcdedit 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\FRST64.exe
    "C:\Users\Admin\AppData\Local\Temp\FRST64.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /u /c echo 2
      2⤵
        PID:216
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
          3⤵
          • Modifies boot configuration data using bcdedit
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SOFTWARE
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SOFTWARE
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3532
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SYSTEM
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SAM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SAM
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2544
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\DEFAULT
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\DEFAULT
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4260
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SECURITY
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SECURITY
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3464
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\COMPONENTS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\COMPONENTS
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1404
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\NTUSER.DAT
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\NTUSER.DAT
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\UsrClass.dat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\system32\reg.exe
          reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\UsrClass.dat
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3128
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FRST\u1Mk1Tn3At0\NTUSER.DAT

      Filesize

      2.0MB

      MD5

      04aabf833b396be894992874fcd3f792

      SHA1

      3b07209b1ff5bfa57d1470e90f4b7b731c5eef44

      SHA256

      44dfa555a362250d940b5772ecf09194d3315757b7574c387822fd9c0fc8544b

      SHA512

      0d906c0396afeb11863cd22c7dca8532e2c6a1c4462e24862da51a5a1d6d84eae92fd146a336eb107ecbde9315ad5c59993695f8c2cfa4952f72701589d889d6

    • C:\FRST\u1Mk1Tn3At0\UsrClass.dat

      Filesize

      4.0MB

      MD5

      d7ac57df88bc9c42b6e5decaf213021d

      SHA1

      9e1431be1ea30107d8bf7097a9bbd1639fadf194

      SHA256

      d8c940a916764351b2ef18906bb680081ea002ddad2a3c635fe89df607081974

      SHA512

      0676175ac266487533e18b715ea812e8f93eaaca3b3e5840180a3fef66b36dc8cfd0ff47686d43e79d0bfcf8d1ad32054aae7390964e2147de519d4bef20e141