Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win10v2004-20240802-en
General
-
Target
Setup.exe
-
Size
2.7MB
-
MD5
4fa48f55bd4f3d1863fc256ec996bb84
-
SHA1
432f817fabf5a163a1a6b62d8d9f4865e13cf1eb
-
SHA256
2a6e088f54dbad9851c9148c611f2e9629d45989f5660aec86d5ed8550f8d780
-
SHA512
91ba5569a6d9fdb71658409cffab7df516795adf8717f327e9143aa2841566f3d68a6fd43cb711db471d5c4736458041e5b7ee2799d2f56f43a6a53a3fc49f4e
-
SSDEEP
49152:IwREDKz+DoN3jfMCIR9JsdYL2W7vp4ecNGsG4HF1TOiQ+tJ3Num:IwRE+K8NrM1nJxLnLaecD39JL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Setup.tmp -
Executes dropped EXE 3 IoCs
pid Process 1580 Setup.tmp 2580 Setup.tmp 2868 file.eml -
Loads dropped DLL 2 IoCs
pid Process 1580 Setup.tmp 2580 Setup.tmp -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 3672 tasklist.exe 224 tasklist.exe 2004 tasklist.exe 2824 tasklist.exe 3692 tasklist.exe 872 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.eml Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\altar\winmgmts:\root\cimv2 file.eml -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2868 file.eml 2868 file.eml 2868 file.eml 2868 file.eml -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 224 tasklist.exe Token: SeDebugPrivilege 2004 tasklist.exe Token: SeDebugPrivilege 2824 tasklist.exe Token: SeDebugPrivilege 3692 tasklist.exe Token: SeDebugPrivilege 872 tasklist.exe Token: SeDebugPrivilege 3672 tasklist.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2580 Setup.tmp -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4824 wrote to memory of 1580 4824 Setup.exe 85 PID 4824 wrote to memory of 1580 4824 Setup.exe 85 PID 4824 wrote to memory of 1580 4824 Setup.exe 85 PID 1580 wrote to memory of 4532 1580 Setup.tmp 87 PID 1580 wrote to memory of 4532 1580 Setup.tmp 87 PID 1580 wrote to memory of 4532 1580 Setup.tmp 87 PID 4532 wrote to memory of 2580 4532 Setup.exe 88 PID 4532 wrote to memory of 2580 4532 Setup.exe 88 PID 4532 wrote to memory of 2580 4532 Setup.exe 88 PID 2580 wrote to memory of 4952 2580 Setup.tmp 89 PID 2580 wrote to memory of 4952 2580 Setup.tmp 89 PID 4952 wrote to memory of 224 4952 cmd.exe 91 PID 4952 wrote to memory of 224 4952 cmd.exe 91 PID 4952 wrote to memory of 1592 4952 cmd.exe 92 PID 4952 wrote to memory of 1592 4952 cmd.exe 92 PID 2580 wrote to memory of 2932 2580 Setup.tmp 94 PID 2580 wrote to memory of 2932 2580 Setup.tmp 94 PID 2932 wrote to memory of 2004 2932 cmd.exe 96 PID 2932 wrote to memory of 2004 2932 cmd.exe 96 PID 2932 wrote to memory of 1688 2932 cmd.exe 97 PID 2932 wrote to memory of 1688 2932 cmd.exe 97 PID 2580 wrote to memory of 2664 2580 Setup.tmp 98 PID 2580 wrote to memory of 2664 2580 Setup.tmp 98 PID 2664 wrote to memory of 2824 2664 cmd.exe 100 PID 2664 wrote to memory of 2824 2664 cmd.exe 100 PID 2664 wrote to memory of 1228 2664 cmd.exe 101 PID 2664 wrote to memory of 1228 2664 cmd.exe 101 PID 2580 wrote to memory of 1716 2580 Setup.tmp 102 PID 2580 wrote to memory of 1716 2580 Setup.tmp 102 PID 1716 wrote to memory of 3692 1716 cmd.exe 104 PID 1716 wrote to memory of 3692 1716 cmd.exe 104 PID 1716 wrote to memory of 4056 1716 cmd.exe 105 PID 1716 wrote to memory of 4056 1716 cmd.exe 105 PID 2580 wrote to memory of 4436 2580 Setup.tmp 106 PID 2580 wrote to memory of 4436 2580 Setup.tmp 106 PID 4436 wrote to memory of 872 4436 cmd.exe 108 PID 4436 wrote to memory of 872 4436 cmd.exe 108 PID 4436 wrote to memory of 2456 4436 cmd.exe 109 PID 4436 wrote to memory of 2456 4436 cmd.exe 109 PID 2580 wrote to memory of 4676 2580 Setup.tmp 110 PID 2580 wrote to memory of 4676 2580 Setup.tmp 110 PID 4676 wrote to memory of 3672 4676 cmd.exe 112 PID 4676 wrote to memory of 3672 4676 cmd.exe 112 PID 4676 wrote to memory of 4976 4676 cmd.exe 113 PID 4676 wrote to memory of 4976 4676 cmd.exe 113 PID 2580 wrote to memory of 2868 2580 Setup.tmp 114 PID 2580 wrote to memory of 2868 2580 Setup.tmp 114 PID 2580 wrote to memory of 2868 2580 Setup.tmp 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\is-G5K55.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-G5K55.tmp\Setup.tmp" /SL5="$701D8,1926850,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\is-PF5EA.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-PF5EA.tmp\Setup.tmp" /SL5="$801D8,1926850,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵PID:1592
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵PID:4976
-
-
-
C:\Users\Admin\AppData\Local\altar\file.eml"C:\Users\Admin\AppData\Local\altar\\file.eml" "C:\Users\Admin\AppData\Local\altar\\oviposition.a3x"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5a667863e0c377ab1cb7c59af23ae3d08
SHA18b88befd470bd9c81968268b6c115106b7600bf2
SHA2567f8808fb9431d7208b3e99094a9b20ccdd5b9ca49df958d07d7f6cabf3e21842
SHA512062ddda8bd058a2f7cfbb33c90bdec9891ad50ba3fbb34fb71951190c3ae0b87bc0ae83584717e3cfb2e5716e5bd8eb60b5de47d149a1137ce475d0eee4b9041
-
Filesize
2.9MB
MD5e24bd9240e36e3bbbcea12724312e906
SHA1a8833cec7f5970bcb764208e1c4f796b470e2c28
SHA2563ed060f37e416e0e1eec2e543789464444873674e3fea897ae3e96f06eba1882
SHA512949c16e1dca374be474434295f87f306fe704596dada7c9690c143504c973a5899d5f3ccc33f6438a49147c9c91fba32f2ba8a3a2fade865d8fd45efddefc03d
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
321KB
MD5b4df5bf2538ca5881feffe7446db48df
SHA1dfccce9f435b257a941b4da2d0a5d6743a5602ee
SHA256c0e5948b525186302bac7a0b5e4d182ce600d43dde2fbd9818990bc1eaeae66f
SHA5128a16cf8945f27164c1a7a924e4fe4aade4eb40f3668de9ff33315a5043a6c5f157d9ff3cb20f8ca21fd3ff258dd03eff65cf35d350f78c27b82dd776e2cbe40f