Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 09:29

General

  • Target

    GST_Audit_Report.exe

  • Size

    1.5MB

  • MD5

    fe310cb94fd6877918c0323c54a29556

  • SHA1

    26d7d7de3b3c7098e2fc52158610227823b6c227

  • SHA256

    40962b2a411a9dbdb9b288fa1430f912006d66134992c0349c6b566d23681bde

  • SHA512

    332bb2726f6bd9daf0604a721ee8f563baf3c8ac892b84a0c6dfc357727ae62153e31f7b7175f246294183d2c65cf51f3def77672b8787272048fbdf36ff3bfe

  • SSDEEP

    24576:P4lavt0LkLL9IMixoEgeaMkIy8OzcQRXorWDbz4q9MmCS:Kkwkn9IMHeaMk+OSWEaPCS

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GST_Audit_Report.exe
    "C:\Users\Admin\AppData\Local\Temp\GST_Audit_Report.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn TRIPRU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe /sc minute /mo 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn TRIPRU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe /sc minute /mo 1
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1640
  • C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
    C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
    1⤵
    • Executes dropped EXE
    PID:3300
  • C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
    C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
    1⤵
    • Executes dropped EXE
    PID:3180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe

    Filesize

    1.5MB

    MD5

    fe310cb94fd6877918c0323c54a29556

    SHA1

    26d7d7de3b3c7098e2fc52158610227823b6c227

    SHA256

    40962b2a411a9dbdb9b288fa1430f912006d66134992c0349c6b566d23681bde

    SHA512

    332bb2726f6bd9daf0604a721ee8f563baf3c8ac892b84a0c6dfc357727ae62153e31f7b7175f246294183d2c65cf51f3def77672b8787272048fbdf36ff3bfe