Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
23/07/2024, 15:20
General
-
Target
NursultanNextgen2024/start2.exe
-
Size
2.1MB
-
MD5
348b560da17e0e6c18041dcfa9a0d6f5
-
SHA1
baf2cf3e5ab0b0ec56dcc99cdffb2a3f8cb46416
-
SHA256
d268c873f10effb233f91d4f27c324c3d2a7431731fde4186ee440e12e4d4583
-
SHA512
cd9e7d4b8b42a59e7cf1a3f75e38a415d5c51b255cfa954abe39d900f4bb295db7cd4037c0376d829c704d7f8272d4efc33fb6bbdc1b4265f1b6288370419aaf
-
SSDEEP
49152:lIEFyUT+YTWC+m2s2qGYDJLNVk7evxE09WRQ9LX5E:LFyUT+2DmsnDPSavWpRQBX5E
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start2.exe"C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.bat"C:\Users\Admin\AppData\Local\Temp\svchost.bat"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.bat'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.bat'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp.com 4373⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp3⤵
-
-
C:\Windows\system32\find.exefInd3⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I set "C:\Users\Admin\AppData\Local\Temp\start.bat"3⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto "C:\Users\Admin\AppData\Local\Temp\start.bat"3⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo "C:\Users\Admin\AppData\Local\Temp\start.bat"3⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause "C:\Users\Admin\AppData\Local\Temp\start.bat"3⤵
-
-
C:\Windows\system32\find.exefind3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp3⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD578cf0986382cd6b839197434c9ab63a1
SHA162c2270c8aaa7da262e30c66bed86a72b8cefc90
SHA2568be78f0117e7ff4633cb700360b571e7264bf8cc034725c4bed0ab1a5856aa9b
SHA512c585da518791d9fcf024d5df170c6e64afeb763eb242e7ba3ad0d5ffb4bda51afbb3450599c1d123eef0901fc8be55f16da4226cb25e456a49d3f26d045f3eec
-
Filesize
18KB
MD5142802e2eb1e85af96f14177a49fc6d0
SHA10935603bc57b0d3434de223a856111f23a320ea7
SHA256d1e9b7b495ddb29d5bb8331c0bc6a05eb0e5df32417acc96c2f6f916904025db
SHA5125c3e0fa10e563766bbb4cac68cb94c4a9da5a0b57b65fbdc842ad537e43cb7a169b84e44570cb4fbfeb05c65b0d1ac7f35a124a08f5f53f8f427cc0f6ae3e97d
-
Filesize
18KB
MD571eeb088d8147f511ce23a9bbef34425
SHA1f468760a4cd0e57eb1e8985d52f865ecc3f3377f
SHA2565a670dce43d947c803f23c9b3a002da68ebd22386202ee369fc24f82d67f4616
SHA512474e3890a60685c9dcd1caa0190c5c3bd20fcb80ed3f8fe7146a82b08fe7702ad2343ceefeca148b802040ba7de3c859f64dc115c5e01748b74249390384f1e5
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
38KB
MD5a4ba8094457ec4795146ecedc1c20399
SHA1cee032a4697d2bcaf17e94fc33dbee590d11fe79
SHA25623a2398271cb74a935fb935e335ec0da31b5f04229bc6243bb4c703bd5b20118
SHA512d0fea3c59fc09f475255d8b62d69b727e18d13e2f6757faeb9f5dbd13ba13bf6d3cdb3cb56e291b6fe1300b1b6b0596cde091168873b56d7a816111dabc00e00
-
Filesize
2.1MB
MD58495fb5fd2ce97d4d1975725ff2ed0b3
SHA1a0f38b05a0736c8b2238690a3f03d5a44cf52a21
SHA256f74517ee1c0d1e51240ed8627f97b7cf7d0c333bcf208097b4a9a281e8d1e274
SHA51270a79f814614effea34a5f447bb452d83e1a1e67d81c69265be8997ab359ad7a0163a9a62e9dec2854e7ee5e3a5c71fa9ab1f6c96e5c49e8996b85f2764f345a
-
Filesize
810B
MD5338b5280a519d84f11cc4edb723a2fcb
SHA14e1c1d49538f6085f5fd9710ef3570da11a6414f
SHA256e209537d2576aaf9edc8bfcb6473e59f3e2fc23882e197e69e1dd87a715b8e6d
SHA5126e7d19b49036da269b1f5d09f98e301e8baf5b90bc396e22441f3e50a069711c92721b31805e90ad17d7cd36697433c61f6e0a25f47d7de3d792b97b188db5dd
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
5.5MB
-
Filesize
408KB
-
Filesize
5.5MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
624KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
204KB
-
Filesize
660KB
-
Filesize
592KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
300KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
2.2MB