Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ORDEN DE C...�..exe

windows10-1703-x64

10

ORDEN DE C...�..exe

windows10-2004-x64

10

ORDEN DE C...�..exe

windows11-21h2-x64

10

Resubmissions

05/07/2024, 15:43

240705-s54fqatcng 10

05/07/2024, 12:00

240705-n6l6lszhng 10

Analysis

  • max time kernel
    297s
  • max time network
    295s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/07/2024, 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDEN DE COMPRA URGENTE‮f؜d؜p؜..exe

  • Size

    2.4MB

  • MD5

    fea126096e142649211027c6edbb9832

  • SHA1

    e5e259235d3d77065918b3c4c369f9d74f1868d7

  • SHA256

    950a5c5455b3d7a4ee27ff5bc7cea2ade2d507770a3cc15106018bfedae9ca52

  • SHA512

    1f50c406c59fa74b95d97596a04b2cc132ede28bbe00c306aaa1bd3056942713f99aa5e5cf93022d652abb2fcacf7d6e24feec4e572a9aaff64368d1b0d28293

  • SSDEEP

    12288:SSR2wX/utnvc69mP51M1nkPpVys8b5V29HxJu5YF9Iv3dosUg7JZtY:SSHuRc69mP/M5kmL/aHxJZIv3W42

Score
10/10
evasionexecutionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTE‮f؜d؜p؜..exe
      "C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTE‮f؜d؜p؜..exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA URGENTE‮f؜d؜p؜..exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:396
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
        3⤵
          PID:1408
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe"
          3⤵
          • Runs regedit.exe
          PID:796
        • C:\Windows\System32\svchost.exe
          "C:\Windows\System32\svchost.exe"
          3⤵
            PID:932
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            3⤵
              PID:3008
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe"
              3⤵
                PID:4092
              • C:\Windows\System32\calc.exe
                "C:\Windows\System32\calc.exe"
                3⤵
                  PID:6140
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  3⤵
                    PID:1492
                  • C:\Program Files (x86)\Windows Mail\wab.exe
                    "C:\Program Files (x86)\Windows Mail\wab.exe"
                    3⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:5624
                  • C:\Program Files (x86)\Windows Mail\wab.exe
                    "C:\Program Files (x86)\Windows Mail\wab.exe"
                    3⤵
                      PID:5652
                  • C:\Windows\SysWOW64\sc.exe
                    "C:\Windows\SysWOW64\sc.exe"
                    2⤵
                    • Adds policy Run key to start application
                    • Adds Run key to start application
                    • Suspicious use of SetThreadContext
                    • Launches sc.exe
                    • Modifies Internet Explorer settings
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of WriteProcessMemory
                    PID:2488
                    • C:\Program Files\Mozilla Firefox\Firefox.exe
                      "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      3⤵
                        PID:6040

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi5ezbah.w1j.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • memory/396-17-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/396-20-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/396-18-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/396-16-0x0000017AE0C20000-0x0000017AE0C42000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/396-5-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/396-6-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/396-7-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1424-22-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1424-1-0x00007FFD86EB3000-0x00007FFD86EB5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1424-2-0x00007FFD86EB0000-0x00007FFD87972000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1424-0-0x00000217289D0000-0x0000021728A1C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/1424-4-0x0000021743FE0000-0x000002174407A000-memory.dmp

                    Filesize

                    616KB

                    Download

                  • memory/1424-3-0x0000021743D70000-0x0000021743DBC000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/2488-27-0x0000000000B90000-0x0000000000BCF000-memory.dmp

                    Filesize

                    252KB

                    Download

                  • memory/2488-25-0x0000000000B90000-0x0000000000BCF000-memory.dmp

                    Filesize

                    252KB

                    Download

                  • memory/3336-28-0x0000000002BA0000-0x0000000002C86000-memory.dmp

                    Filesize

                    920KB

                    Download

                  • memory/5624-21-0x0000000000400000-0x0000000000442000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/5624-26-0x0000000000400000-0x0000000000442000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/5624-23-0x0000000000400000-0x0000000000442000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/5624-24-0x0000000000400000-0x0000000000442000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/6040-35-0x000001F0D0D40000-0x000001F0D0E28000-memory.dmp

                    Filesize

                    928KB

                    Download