Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 19:35
Static task
static1
1 signatures
General
-
Target
Deushack.exe
-
Size
974KB
-
MD5
aa5c5e8b48622d3b6d80e94f54110e61
-
SHA1
7c1e0adac8a1dfe992793108d59814cd0b6aac8d
-
SHA256
8c7fd0a4bc551502bc5fde36c37617bbb4c6c6d1588e554f60de0ea281eae28d
-
SHA512
f6df3b8fe36d3974601e5b60ffd6980db743ecf7b5a2eb6ed00ad304846d527d3fd0e9e9b548378605cefa899ef9a917984d904c7a94bb0ec6e99859ee20cf59
-
SSDEEP
24576:TLc6V9iFn4GFME6gFBxVXuNqjBs3MBAj0TEjOF8/:TfycKVAqjBsMC
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Deushack.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Deushack.exe -
Executes dropped EXE 3 IoCs
pid Process 3716 hoamfssd.lcw.exe 2660 er4vvd4o.gna.exe 5088 er4vvd4o.gna.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3716 set thread context of 3052 3716 hoamfssd.lcw.exe 92 PID 2660 set thread context of 2416 2660 er4vvd4o.gna.exe 108 PID 5088 set thread context of 1452 5088 er4vvd4o.gna.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2212 1164 WerFault.exe 82 4076 1140 WerFault.exe 102 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 3052 RegAsm.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 2416 RegAsm.exe 1452 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1164 Deushack.exe Token: SeDebugPrivilege 4480 taskmgr.exe Token: SeSystemProfilePrivilege 4480 taskmgr.exe Token: SeCreateGlobalPrivilege 4480 taskmgr.exe Token: SeDebugPrivilege 3052 RegAsm.exe Token: SeBackupPrivilege 3052 RegAsm.exe Token: SeSecurityPrivilege 3052 RegAsm.exe Token: SeSecurityPrivilege 3052 RegAsm.exe Token: SeSecurityPrivilege 3052 RegAsm.exe Token: SeSecurityPrivilege 3052 RegAsm.exe Token: 33 4480 taskmgr.exe Token: SeIncBasePriorityPrivilege 4480 taskmgr.exe Token: SeDebugPrivilege 1140 Deushack.exe Token: SeDebugPrivilege 2416 RegAsm.exe Token: SeBackupPrivilege 2416 RegAsm.exe Token: SeSecurityPrivilege 2416 RegAsm.exe Token: SeSecurityPrivilege 2416 RegAsm.exe Token: SeSecurityPrivilege 2416 RegAsm.exe Token: SeSecurityPrivilege 2416 RegAsm.exe Token: SeDebugPrivilege 1452 RegAsm.exe Token: SeBackupPrivilege 1452 RegAsm.exe Token: SeSecurityPrivilege 1452 RegAsm.exe Token: SeSecurityPrivilege 1452 RegAsm.exe Token: SeSecurityPrivilege 1452 RegAsm.exe Token: SeSecurityPrivilege 1452 RegAsm.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe -
Suspicious use of SendNotifyMessage 53 IoCs
pid Process 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe 4480 taskmgr.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1164 wrote to memory of 3716 1164 Deushack.exe 87 PID 1164 wrote to memory of 3716 1164 Deushack.exe 87 PID 1164 wrote to memory of 3716 1164 Deushack.exe 87 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 3716 wrote to memory of 3052 3716 hoamfssd.lcw.exe 92 PID 1140 wrote to memory of 2660 1140 Deushack.exe 104 PID 1140 wrote to memory of 2660 1140 Deushack.exe 104 PID 1140 wrote to memory of 2660 1140 Deushack.exe 104 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 2660 wrote to memory of 2416 2660 er4vvd4o.gna.exe 108 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112 PID 5088 wrote to memory of 1452 5088 er4vvd4o.gna.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\Deushack.exe"C:\Users\Admin\AppData\Local\Temp\Deushack.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\hoamfssd.lcw.exe"C:\Users\Admin\AppData\Local\Temp\hoamfssd.lcw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 17562⤵
- Program crash
PID:2212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1164 -ip 11641⤵PID:3032
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:2736
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\Deushack.exe"C:\Users\Admin\AppData\Local\Temp\Deushack.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\er4vvd4o.gna.exe"C:\Users\Admin\AppData\Local\Temp\er4vvd4o.gna.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 17722⤵
- Program crash
PID:4076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1140 -ip 11401⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\er4vvd4o.gna.exe"C:\Users\Admin\AppData\Local\Temp\er4vvd4o.gna.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD560ad21e008a8447fc1130a9c9c155148
SHA15dfa21d14dc33de3cc93a463688fe1d640b01730
SHA256bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9
SHA51242a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6
-
Filesize
574KB
MD5dfce865a3bc516c59e31e794fa2ddaec
SHA10d60b4a07ec20277203425ad39415c652e16a80a
SHA25644afe9f430fe26bcf070880af5ed7685d79eeee8dd84b6aa637a0211f3f855a7
SHA512985ad4b2841ac605c53a98163c4a2005224f003fe6c4b5d853164c2896a79d7adcc6b4bb2d3c578c5bfc6cc3832308bccad741d5b78ae527e068f5f46e69f91c