Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

02/08/2024, 15:39

240802-s3t49svclf 8

02/08/2024, 15:32

240802-syqlaazcmn 6

02/08/2024, 15:28

240802-swdhyavalh 8

02/08/2024, 15:24

240802-ss9rzathna 8

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 15:24

General

  • Target

    AndroidSideloader.exe

  • Size

    4.1MB

  • MD5

    b7fa8a83dd1c92d93679c58d06691369

  • SHA1

    0cff7bb71ff43ee92172f30566d8ee1b043129fc

  • SHA256

    6cf2bcdb1a463fc69eddb125eba8cc12854ee23effcd7c65b968667c668a7f0b

  • SHA512

    d74f8450f1fda260d0176ceba347bde6ad58b24a09eaac3cc921e20236a11707cab2f5eaee3bb10907c387d67efbcb66d823ae052b1317f3e953c4984a2b94b8

  • SSDEEP

    24576:JUjV//Ppn/JcDJ7bdukqjVnlqud+/2P+AXg:S5//Rn/QJ7bYkqXfd+/9AQ

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 32 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe
    "C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Local\Temp\7z.exe
      "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dependencies.7z" -y -o"C:\RSL\platform-tools" -bsp1
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\7z.exe
      "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\rclone.zip" -y -o"C:\Users\Admin\AppData\Local\Temp" -bsp1
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" kill-server
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1400
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" start-server
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\RSL\platform-tools\adb.exe
        adb -L tcp:5037 fork-server server --reply-fd 568
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4516
    • C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
      "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" listremotes --config vrp.download.config
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
    • C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
      "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" sync ":http:/meta.7z" "C:\Users\Admin\AppData\Local\Temp" --http-url https://theapp.vrrookie.xyz/ --tpslimit 1.0 --tpslimit-burst 3
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3452
    • C:\Users\Admin\AppData\Local\Temp\7z.exe
      "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\meta.7z" -y -o"C:\Users\Admin\AppData\Local\Temp\meta" -p"gL59VfgPxoHR" -bsp1
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:640
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" devices
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1536
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" shell df
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2232
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" shell dumpsys battery
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4000
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" shell pm list packages -3
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:60
    • C:\RSL\platform-tools\adb.exe
      "C:\RSL\platform-tools\adb.exe" shell df
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4768
    • C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe
      "C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe" --offline
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" kill-server
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3532
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" start-server
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\RSL\platform-tools\adb.exe
          adb -L tcp:5037 fork-server server --reply-fd 568
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4472
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" devices
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2916
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" shell dumpsys battery
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1912
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" shell df
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2492
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" shell pm list packages -3
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2136
      • C:\RSL\platform-tools\adb.exe
        "C:\RSL\platform-tools\adb.exe" shell df
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\RSL\platform-tools\AdbWinApi.dll

    Filesize

    105KB

    MD5

    d79a7c0a425f768fc9f9bcf2aa144d8f

    SHA1

    3da9e4c4566bd6d4efeeaf7ceab9e9e83f2f67e5

    SHA256

    1ad523231de449af3ba0e8664d3af332f0c5cc4f09141691ca05e35368fa811a

    SHA512

    ff650b98ecc55df6c2cb1b22221b1e71d63c01324f8a8b0f05f1497f5416131f7c33ef2ea17ed323cb2bfdbe7ae1824474544434899d2cb89e9c8c00db7dbb15

  • C:\RSL\platform-tools\AdbWinUsbApi.dll

    Filesize

    71KB

    MD5

    e6e1716f53624aff7dbce5891334669a

    SHA1

    9c17f50ba4c8e5db9c1118d164995379f8d686fb

    SHA256

    51a61758a6f1f13dd36530199c0d65e227cd9d43765372b2942944cc3296ca2c

    SHA512

    c47392b6f7d701e78f78e0b0ddce5508ab8d247a4095391e77cd665e955f4938e412ffcb6076534dcad287af4f78d84668496935e71b9bb46a98401522815eb9

  • C:\RSL\platform-tools\adb.exe

    Filesize

    5.6MB

    MD5

    64daf7cca61d468d26a407d79a7c26a9

    SHA1

    51b451089e73c9a03e2f24ab2fc81896d48c6126

    SHA256

    997324a38d89e3b282306bf25ccaa167c49a35850ac0ab4a169e7a15afa82fc8

    SHA512

    5a7bd06326e8ee868a2e6c724bc74bd290acaa00f3442807d3f69489a374a13a3cb41fbaf929c79525bdac319bd9a64ecfaf3cbdb6585ae332a485e911d8370d

  • C:\Users\Admin\.android\adbkey

    Filesize

    1KB

    MD5

    b870ab02c3919abd25d4e7203150b9ec

    SHA1

    03f5f3d865250bbaf76eeb25d452179e6ee02a5a

    SHA256

    60a0d286dd86908d2ab8a0f94db0c59a35b9ae898912a1ae98be14fbf26eacc4

    SHA512

    0412e7c39a45e37e2862e0c26252f954a38f6ad08d123cd983f3c9073f7045d2e1a91671b5be830ab30e3bb41441f4765a5c84efd50ced7e1701e20c1ea3b0ce

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\4np13xit.newcfg

    Filesize

    3KB

    MD5

    c3817bd4acff63f3a97de77660cd1dab

    SHA1

    781fb4f45d5d361dece182c94e0874bb155cb414

    SHA256

    4a804c4b35698c4db0b8ad0d4532334a5e44cc5a21447cbcd5f4eee00d819984

    SHA512

    fa01808b23564192dfdfd58f5c2d1b7e8915e8fafcda0fbb4cc93fc005d3bbcd23e1734cf37f90902c15d421418e1f1cd0ba1395370682521a55108598206f6c

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\epipcgdi.newcfg

    Filesize

    2KB

    MD5

    c09f0e46e40224e0fe790e8ddd4149c9

    SHA1

    2043e947fda7139dc8d5fda304a440ac38504942

    SHA256

    1f1809fc242e93f6f5ec102bcb821e74f8f64f054a74c99ecd7705ade41ed9ba

    SHA512

    765cf206ffaefb2b0da3cb7cb30414e9a82975f62f899181e8cbf15149d947c5c5252d46b0c70f54e172241a5a5ba1f6db3e5245b06d9ef290a985ba3ff97188

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

    Filesize

    838B

    MD5

    6dc22626c68e39d1f7a92bc247d064fa

    SHA1

    06d72094b8ccfb2cd09e3b04fa79cd2f4efbb40c

    SHA256

    5b1cfb327e8e4f605cdb650526ab442cc846ce97cfdc51d1da23dfecb3abdf60

    SHA512

    09858fce9752da51c915859873510c5f115b8d2b2ffa9b3bfe8bee20b804de1fe3ef8bbe5448b2374d6089af29e9d7914e0098df675e5eef240d4f1649a0db72

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

    Filesize

    2KB

    MD5

    e75f6b57d6f1b508e97979281fe5add9

    SHA1

    346cf0575ddda0baa242f1c9703e8e2a1b6e808b

    SHA256

    e0ea81cfe7477fae9c60541c96397ddbbad7ac127bcc1537f8704931725410ee

    SHA512

    9caa1a75b6fe240df41b50448fe172c09b46630e43b791c4fb1708644f7f51c7d02d6808e96e436fb2b299b8c6f29cb9fb6e45000526084017551b318f1036d4

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

    Filesize

    3KB

    MD5

    c48e9f18008eb9e5834857be1c510dea

    SHA1

    19a56888d1208c333de757eee5b40b93ddcf77f4

    SHA256

    bd89a4d0dfa4f752cdad26fb8ce9aca4daae24dccb827a2de10d80ceb2a19cb2

    SHA512

    bcfd7b43d23a5737999ad1ecc92babdd25f7536743b5e5d1d70519a8ad5b0740d2ada7fa7a452fa569fd80a9eb38e2e535a47f2f6d04701f1b93e93b949a8abc

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

    Filesize

    2KB

    MD5

    78a7f11ab825926b2ccfe4fd1562a8ca

    SHA1

    4cd3a3d6a8f4e89d13407dbf59bd57b9f986259b

    SHA256

    a0a78da7205db1a0626dc1ceb3b16222dba5133fa38039f21c886590444e96a5

    SHA512

    8a24b9fef8e717f5a8edbde417fb16de4edc4cc0b91224508731fad04b4680113a070a22cfeecfd82c256992fade826bb68d461f8464f38b65d36282f0bca5ac

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

    Filesize

    2KB

    MD5

    768068e348d644e863160f5f3e86f484

    SHA1

    6435e316b20709dabb5e10eab0aa01fb796080de

    SHA256

    58946cbd6f4ac989b6e3d131915d11a4c1ba9155b261098ae899bfdce23d9a72

    SHA512

    ad778d539c7c1108ef10d071b635ca2d25186ccd5c46f3c1d812bec9eca237fa98cbafea38bdf5ed7da0cef17144f5d7b3145cc225f4b4fb6f60f7133726756b

  • C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\wbukaz14.newcfg

    Filesize

    3KB

    MD5

    68ba60c5ca0b4a1c3d6b4a1e5ec97acf

    SHA1

    da191508a2e5de5392767b8dcfe691abd43c48b7

    SHA256

    39bd33434df7855ed25fdc25419912ff3e466cedaab02aba9578afdc0af09975

    SHA512

    7a2435ad34323039d3832d8d4b2a2d4838fedc80ab0a6a1cb1316200563b48d40ca0d05df4400fcd10fc9c85ea4512385f336b283f38fb91f83eaddb075a334b

  • C:\Users\Admin\AppData\Local\Temp\7z.exe

    Filesize

    1.2MB

    MD5

    1a7eaa1dab7867e15d7800ae0b5af5e3

    SHA1

    9e6d344bd8724aa1862f4254d8c42b7cc929a797

    SHA256

    356bea8b6e9eb84dfa0dd8674e7c03428c641a47789df605c5bea0730de4aed2

    SHA512

    a12373ec7ec4bac3421363f70cc593f4334b4bb5a5c917e050a45090220fab002c36ba8b03be81159fd70955b4680146c9469e44ddf75a901465d6b1231ee6cd

  • C:\Users\Admin\AppData\Local\Temp\adb.log

    Filesize

    1KB

    MD5

    f5796ec089d9d484260f8c000a63d85a

    SHA1

    26bb8313b851c2b33be6150b7ff9f3a969958cbe

    SHA256

    71fef2803b163b15e2d0ee28b964b683cf0f27c8e14fd1a8041562f75c9807f9

    SHA512

    1acf5a3c5591a39acd09e18aca5a82ab519bf772620b7db44d17af44189d8e654097cc2275befde8f32dda6dbbe6dacbfb1762bdf16693cf0843c5d89ad28544

  • C:\Users\Admin\AppData\Local\Temp\dependencies.7z

    Filesize

    5.5MB

    MD5

    54850eca0050c5468f712187828655ce

    SHA1

    30607a286efe050f9387f3127888b4073595d1a1

    SHA256

    06e1523a9cc9be6bd9d7a33c2720519d1a071747222f044bdf0c4d590a508575

    SHA512

    40d575da0d48f6b0ab7dbeabf68a4b40551157671e34f5669fe2627fe51d8f623e00adcff24df6abf9ea765dd02ffdcca2783b73f617ee0fb1fca1a88f0d4675

  • C:\Users\Admin\AppData\Local\Temp\rclone.zip

    Filesize

    20.1MB

    MD5

    10babe225d85f3da58ee8cc260b63793

    SHA1

    900da981ad757c5b8696b71475341c9228e84be9

    SHA256

    8e8bb13fb0d7beb316487ecde8ead5426784cdcdbf8b4d8dd381c6fe8c7d92a0

    SHA512

    d771c4631b607fc447be37d2ee266859dec4e09aa5544559edff2dea6d277ac9a28792ef1d12875c51b48773e155a983633b9f7ad59e14a36fb36de4d7fe9246

  • memory/4880-10-0x0000000005910000-0x000000000599E000-memory.dmp

    Filesize

    568KB

  • memory/4880-8-0x0000000005700000-0x000000000570C000-memory.dmp

    Filesize

    48KB

  • memory/4880-39-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-80-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-37-0x000000007474E000-0x000000007474F000-memory.dmp

    Filesize

    4KB

  • memory/4880-34-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-33-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-0-0x000000007474E000-0x000000007474F000-memory.dmp

    Filesize

    4KB

  • memory/4880-9-0x0000000005730000-0x000000000573E000-memory.dmp

    Filesize

    56KB

  • memory/4880-41-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-7-0x00000000056F0000-0x00000000056FA000-memory.dmp

    Filesize

    40KB

  • memory/4880-162-0x000000000A9E0000-0x000000000AA92000-memory.dmp

    Filesize

    712KB

  • memory/4880-165-0x0000000009090000-0x00000000090B2000-memory.dmp

    Filesize

    136KB

  • memory/4880-166-0x00000000140D0000-0x0000000014424000-memory.dmp

    Filesize

    3.3MB

  • memory/4880-6-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-3-0x0000000005640000-0x00000000056D2000-memory.dmp

    Filesize

    584KB

  • memory/4880-279-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4880-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

    Filesize

    5.6MB

  • memory/4880-1-0x0000000000840000-0x0000000000C62000-memory.dmp

    Filesize

    4.1MB