Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 17:25

General

  • Target

    Goblin.exe

  • Size

    704KB

  • MD5

    a0eecf9df2066fee2a579a4722cb0aba

  • SHA1

    8955ef7bc4bfebd994ec4aaba4fc2d4ae4cdd8aa

  • SHA256

    ca976293e8f616b417dbaaf62831cfb8ea41b0ba25ef652c1696b164231e8b0b

  • SHA512

    4ba533085798a01966efbcb8f158d01526ac1da75bd0c41facbc889c97cf9d819fd6e09100689d8fbceb9073f5af8e2a423e45a563f9ca36aace79a5b8c34275

  • SSDEEP

    12288:TuWtlv0SfIHNjodPGcfjsP1L28DZbM0SeYe738+BC8:TugV0+IFo17sP1L9VbIfe73pC8

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Goblin.exe
    "C:\Users\Admin\AppData\Local\Temp\Goblin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Goblin.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Goblin.exe" MD5
        3⤵
          PID:1924
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:3500
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4764
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:1820
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:4896
            • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
              "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
              1⤵
              • Modifies system executable filetype association
              • Checks processor information in registry
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:4404

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

              Filesize

              63KB

              MD5

              e516a60bc980095e8d156b1a99ab5eee

              SHA1

              238e243ffc12d4e012fd020c9822703109b987f6

              SHA256

              543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

              SHA512

              9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\update100[1].xml

              Filesize

              726B

              MD5

              53244e542ddf6d280a2b03e28f0646b7

              SHA1

              d9925f810a95880c92974549deead18d56f19c37

              SHA256

              36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

              SHA512

              4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62