Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/08/2024, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
Resource
win10v2004-20240802-en
General
-
Target
d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
-
Size
1021KB
-
MD5
a63aa4427cbc2b463642def398f2d217
-
SHA1
49c3c7d4fea7f7abdf148e33b3470ce1bc23ecc5
-
SHA256
d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48
-
SHA512
4fedbe899a27f0c9c34a8c4cced85c68148dab9b605e24787b4552429ab6d1091bc78f8599ca0ca43acd18c6d74fe94830ed4303f24bf9ffe99b0cf9fec6a198
-
SSDEEP
24576:rhEQaXb3UlbHCxOBHyP1OL7LDMf0f7GSbTmTMs1eC:u9TUBHCxOxyP03LDG0jGSmTnd
Malware Config
Extracted
lumma
https://enthusiandsi.shop/api
https://empiredzmwnx.shop/api
https://boattyownerwrv.shop/api
https://rainbowmynsjn.shop/api
https://definitonizmnx.shop/api
https://creepydxzoxmj.shop/api
https://budgetttysnzm.shop/api
https://chippyfroggsyhz.shop/api
https://assumedtribsosp.shop/api
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3388 created 3400 3388 Precisely.pif 52 -
Executes dropped EXE 2 IoCs
pid Process 3388 Precisely.pif 3736 Precisely.pif -
Loads dropped DLL 1 IoCs
pid Process 1120 d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1424 tasklist.exe 2028 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3388 set thread context of 3736 3388 Precisely.pif 90 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\InternetBufing d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe File opened for modification C:\Windows\LlpThreats d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe File opened for modification C:\Windows\IpaqCalcium d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe File opened for modification C:\Windows\DistributionNj d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe File opened for modification C:\Windows\BrandonTherefore d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Precisely.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Precisely.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1424 tasklist.exe Token: SeDebugPrivilege 2028 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3388 Precisely.pif 3388 Precisely.pif 3388 Precisely.pif -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1424 1112 cmd.exe 80 PID 1112 wrote to memory of 1424 1112 cmd.exe 80 PID 1112 wrote to memory of 4664 1112 cmd.exe 81 PID 1112 wrote to memory of 4664 1112 cmd.exe 81 PID 1112 wrote to memory of 2028 1112 cmd.exe 83 PID 1112 wrote to memory of 2028 1112 cmd.exe 83 PID 1112 wrote to memory of 2080 1112 cmd.exe 84 PID 1112 wrote to memory of 2080 1112 cmd.exe 84 PID 1112 wrote to memory of 3224 1112 cmd.exe 85 PID 1112 wrote to memory of 3224 1112 cmd.exe 85 PID 1112 wrote to memory of 2696 1112 cmd.exe 86 PID 1112 wrote to memory of 2696 1112 cmd.exe 86 PID 1112 wrote to memory of 1196 1112 cmd.exe 87 PID 1112 wrote to memory of 1196 1112 cmd.exe 87 PID 1112 wrote to memory of 3388 1112 cmd.exe 88 PID 1112 wrote to memory of 3388 1112 cmd.exe 88 PID 1112 wrote to memory of 3388 1112 cmd.exe 88 PID 1112 wrote to memory of 1968 1112 cmd.exe 89 PID 1112 wrote to memory of 1968 1112 cmd.exe 89 PID 3388 wrote to memory of 3736 3388 Precisely.pif 90 PID 3388 wrote to memory of 3736 3388 Precisely.pif 90 PID 3388 wrote to memory of 3736 3388 Precisely.pif 90 PID 3388 wrote to memory of 3736 3388 Precisely.pif 90 PID 3388 wrote to memory of 3736 3388 Precisely.pif 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe"C:\Users\Admin\AppData\Local\Temp\d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k move Themes Themes.cmd & Themes.cmd & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\system32\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:4664
-
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\system32\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"3⤵PID:2080
-
-
C:\Windows\system32\cmd.execmd /c md 6475513⤵PID:3224
-
-
C:\Windows\system32\findstr.exefindstr /V "LatviaTicketClevelandPoet" Larger3⤵PID:2696
-
-
C:\Windows\system32\cmd.execmd /c copy /b Develop + Jeremy + Kazakhstan + Reviewed + Subtle + Expect 647551\h3⤵PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pifPrecisely.pif h3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
-
-
C:\Windows\system32\choice.exechoice /d y /t 53⤵PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pifC:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
448KB
MD56fdfd7bd8eeb457e56d58555cf25da5e
SHA18d62d43f955a3ac6d50f4c9b7d1ed888f9049f07
SHA2560d27d248085e70ec9840900e32e71ee90f530968906eaf519144d007ce097ce6
SHA5128a5e0fe06f7bd37aab434a4191d20f3c5074a9703e3797d3f59a17073d7e224824ddb7a9cd5e680efb8ac1f2bad217d18c65d1fa939d7f4c25c89eeaaa0af0de
-
Filesize
872KB
MD5c30baf006c23f5502a6eac13c4121cac
SHA1a46b52d9441117cc8a6a1c3f68162ec294b68068
SHA2560aa9d496c6ba1d362368cf3a612cd737f19fdd6051af41d748746da51dbefe9d
SHA512af29fa6425006c8ff87fa2c422a2d49148bd6107c6d7a8aadc75ced5d5a08aea0e8d01de99cc95f077c58964b24b872a92b7f8d5d03989c3142c50bbd1b3510d
-
Filesize
73KB
MD51ebc315401a599085e455ae7d76e177e
SHA1be61fa1790aff061b8bfe2e371c4352c6d172c1e
SHA256bb86584cf9142113c81fab982202ccb61ef2c5eb1bb8972a0565eb76a8d97f70
SHA5125c93163f13ebd7b8b6e81644d6bcffb308a0391c070515bcc9e32094c0e3da7c8167e7feefb21fd7c840abf9074a7959a589b8d0fa7aa76e116c6d6de84977c2
-
Filesize
18KB
MD553746be92b194c780a2d58f34ee00b11
SHA1bb99ba3c2b950b1914182d6aebd760a24b7b8338
SHA256191e020f3c5af35645b57244b3d84e9bac8463aee6f896bd7141c8e14c905f53
SHA512f2bbe556a053b2f3b36fc9d6f36de908a23ab633f6a5ff38c62bb105866f0f8a64c66a7c9fad6ae381be1a0e2251bfed51c36ead64f696e24cced718ad1304e7
-
Filesize
99KB
MD57dc54410052dbb22f08d596a65d1e601
SHA179a2e7f1091008f152a586c446b947067b80709d
SHA25617dce7c80e90b3b23fb3ba0845c44c0a7c90afeabe4545dbfbe96e0282d929ef
SHA512258e8e9e88a4599fa481fcbaca5b92df22ee4593d7d0590f4a868dfa7165099899416b6987b83311f17818adf19d4dbb65c18ad659a2ee7e33c368d4bbef252b
-
Filesize
99KB
MD5fc34ac746c73f1a69c6ec09cb470964f
SHA19d2af2aa3d507e9dc9037801ca553e58ba8eb077
SHA25631924043f5d76a478d819d8be63bcd1238f0c503a150893dc2a19e80ace9bb62
SHA5129308a294788afb379fbb22afab6cbe78418048d708e1629a104a54b090327d8a4e3c958c889db96f186399c5f2ee66c8e5f699a2ee5480d764014366eddac0d3
-
Filesize
490B
MD599352b2770c4409f48bc24896f26baae
SHA1b23f51bf53495bb973fbaf37ff34184e2b83b081
SHA256057c2fdd3f765865510d3557f9083a2bdb68987f806a469a966dd2edbb28e37f
SHA5121c9e194f9666ca0e6fc9df690557f58ec28c8393447c339740d1e29f855e0e8ed792310de420cce38df14a6000744b206bc262b38d0b479ed86203a0909ce2d4
-
Filesize
91KB
MD5dbb1c7e3ee4a5462f0d20f7f30748ed6
SHA155a501b433887f89934a7afb9b7e4eb44e828671
SHA256d1464a5481d67860e6c99d488fcb5599908d15577fee5da65508492f37e387a1
SHA51266df41b88eb949c5687ec125b1a4ee92e3ec5c72f8074037db60e8e57ad125d28fccddf5ac10e70708dd94a9a921bbec2e901873a8a267fd01d1505c4e3df79b
-
Filesize
68KB
MD5271a155148cd40704556bce7a8596163
SHA1121c56e001c1f23b22ea3322c906f5a21eb690cd
SHA256cf88957d77c63719387019270a38b952332d9d4ad0435c242833b6ea955eb036
SHA512b7cdef8ee6f8b8ac04ebb294c10dcc10d266f453e0491dca42f5b1fa0bd2b3c61f3c62a7d32c4e69423cff300ee93cf7dc09c37824ca3cd5b66a15d65b474a02
-
Filesize
22KB
MD536f1c87d9737391327b7a8a85eb876a4
SHA1950ab5aa64bf8514b991c273251f37884d0baa8d
SHA256d19b134a54477eb88a8051049bc528f172902bd7109e02bb48c56b113f45210c
SHA512429bfdd110fdebbb30f3d455db7b1c1e8057e71a7f53db2d01e8e9ae2aab9bad5a15f7ba6c82704fa1dddf90adfc4a0742cc91d8375eaa3f2ba1a63362fb0793
-
Filesize
43KB
MD5552cba3c6c9987e01be178e1ee22d36b
SHA14c0ab0127453b0b53aeb27e407859bccb229ea1b
SHA2561f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29
SHA5129bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a