Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2024, 21:13

General

  • Target

    2024-07-07_f1c1e048ddcea3a460990788d5e1af93_poet-rat_snatch.exe

  • Size

    5.8MB

  • MD5

    f1c1e048ddcea3a460990788d5e1af93

  • SHA1

    277b9dda2ded97ff410eeb1dc6ec63d7b2d14d2e

  • SHA256

    84bee726416af4bc3cbcc47946057a1478849cd267245fa1117a9992d1fdd51d

  • SHA512

    1f040f887b29a22ef56e267a10c45c7acb15f52516a2bf67afdf76614ad1b65fe55c4c92c6b18f6542e62327294285efab42ab863ac9dd516eca5bac17a2aa91

  • SSDEEP

    49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfl:63CE/Xx4LKhdk3ESp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-07_f1c1e048ddcea3a460990788d5e1af93_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-07_f1c1e048ddcea3a460990788d5e1af93_poet-rat_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\system32\schtasks.exe
      C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\SLOVh /F /TN ChromeUpdateTaskMachinCore
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1836
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
        "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:4736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

    Filesize

    5.8MB

    MD5

    89a302c9867a39dae9a29f069bb2e6de

    SHA1

    87f065394e197da2fb871b6304d4d6bd56c11d35

    SHA256

    8a9e0f5a9d68a7e5d97746faf28de0e388d0ccc4c02cb4d5506ef5fc98082a37

    SHA512

    31a15a87b160bc631ef9d84de16fcd7cc06c49a93ee584da608dab2d08aa5c16168a57b9e671d433b83e69fcbde24d0558d775541d39f29d2d2b5c7b36f48ca3

  • C:\Users\Admin\AppData\Local\Temp\SLOVh

    Filesize

    1KB

    MD5

    3e96df1364ca90fdcba79d7af087c1c8

    SHA1

    191e202b08bfee7196737ea7d4e3ddef80539c06

    SHA256

    6686a08bde9f38826c1c6698ee1b660f0ced0ef257087c0cc951570aff9a88ed

    SHA512

    f4521813d33538a13f8f0ebde2da59ad6e2e93449f06af6713b8d5586dff660ac34d7e5bd09802b63636c0dbf791b8441785fefe90e92774fdd9346e9f1ff8e7