Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

28/06/2024, 16:48

240628-vbh9ssxakg 8

28/06/2024, 16:39

240628-t58acawhkh 8

Analysis

  • max time kernel
    1797s
  • max time network
    1751s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 16:39

General

  • Target

    PsoBB.exe

  • Size

    6.7MB

  • MD5

    e89d53b6c79aca33973e2129586a2ae7

  • SHA1

    d345fe94c772d7ad6fb49f416ac6e081ede8a834

  • SHA256

    f4d4bd463c07fec2542452735deb5237641634100d9223d2d0f0ae4000315cc0

  • SHA512

    0f9d6ffff5d1077f703a50510373f7fbbe4270d29a3bd26824c6e8fab3929ad8b7d5508a8cafc283fbe83cc1b559a29571d2de2d383f52c09eed0b1b2543ca20

  • SSDEEP

    196608:UxzBce4N3RmOl7G9ETGD78QelnZmrlMcja333m333qet33333323333Uv:Uly3RmOl7G9ETGD78Qelnsla333m333z

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PsoBB.exe
    "C:\Users\Admin\AppData\Local\Temp\PsoBB.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:3672
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2720
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Modifies registry class
    PID:4916
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x45c 0x464
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\log\spec.log

    Filesize

    162B

    MD5

    8b291eb63fd28ad556d4d00c0bb8d586

    SHA1

    12e2fe44701329d83cb19d5438bab590dd409708

    SHA256

    953e4a450003d00f0fa5094e13c370f3e9f0862125040ab53dbe2cf17dd1bcde

    SHA512

    af1f1945f60406982197f316dcff546de5a4e942c376fce9a6740c9225070d47d6bc58247e0bd082a811cfce5ec72b7df122084c06d587c309ddea1e55ceb404

  • C:\Users\Admin\Videos\Captures\desktop.ini

    Filesize

    190B

    MD5

    b0d27eaec71f1cd73b015f5ceeb15f9d

    SHA1

    62264f8b5c2f5034a1e4143df6e8c787165fbc2f

    SHA256

    86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

    SHA512

    7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

  • memory/3672-0-0x0000000000400000-0x0000000000B62000-memory.dmp

    Filesize

    7.4MB

  • memory/3672-1-0x0000000000C90000-0x0000000000C91000-memory.dmp

    Filesize

    4KB

  • memory/3672-4-0x0000000073E19000-0x000000007461F000-memory.dmp

    Filesize

    8.0MB

  • memory/3672-2-0x0000000072740000-0x0000000074C5C000-memory.dmp

    Filesize

    37.1MB

  • memory/3672-5-0x0000000072740000-0x0000000074C5C000-memory.dmp

    Filesize

    37.1MB

  • memory/3672-42-0x0000000073E19000-0x000000007461F000-memory.dmp

    Filesize

    8.0MB

  • memory/3672-43-0x0000000072740000-0x0000000074C5C000-memory.dmp

    Filesize

    37.1MB

  • memory/3672-44-0x0000000000400000-0x0000000000B62000-memory.dmp

    Filesize

    7.4MB