Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 19:18

General

  • Target

    Setup.exe

  • Size

    2.7MB

  • MD5

    4fa48f55bd4f3d1863fc256ec996bb84

  • SHA1

    432f817fabf5a163a1a6b62d8d9f4865e13cf1eb

  • SHA256

    2a6e088f54dbad9851c9148c611f2e9629d45989f5660aec86d5ed8550f8d780

  • SHA512

    91ba5569a6d9fdb71658409cffab7df516795adf8717f327e9143aa2841566f3d68a6fd43cb711db471d5c4736458041e5b7ee2799d2f56f43a6a53a3fc49f4e

  • SSDEEP

    49152:IwREDKz+DoN3jfMCIR9JsdYL2W7vp4ecNGsG4HF1TOiQ+tJ3Num:IwRE+K8NrM1nJxLnLaecD39JL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\is-G5K55.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G5K55.tmp\Setup.tmp" /SL5="$701D8,1926850,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Admin\AppData\Local\Temp\is-PF5EA.tmp\Setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-PF5EA.tmp\Setup.tmp" /SL5="$801D8,1926850,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4952
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:224
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:1592
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2932
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2004
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:1688
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2664
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2824
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:1228
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1716
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3692
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:4056
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4436
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:872
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:2456
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4676
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3672
                      • C:\Windows\system32\find.exe
                        find /I "sophoshealth.exe"
                        6⤵
                          PID:4976
                      • C:\Users\Admin\AppData\Local\altar\file.eml
                        "C:\Users\Admin\AppData\Local\altar\\file.eml" "C:\Users\Admin\AppData\Local\altar\\oviposition.a3x"
                        5⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • NTFS ADS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2868

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\is-29S2J.tmp\_isetup\_iscrypt.dll

                Filesize

                17KB

                MD5

                a667863e0c377ab1cb7c59af23ae3d08

                SHA1

                8b88befd470bd9c81968268b6c115106b7600bf2

                SHA256

                7f8808fb9431d7208b3e99094a9b20ccdd5b9ca49df958d07d7f6cabf3e21842

                SHA512

                062ddda8bd058a2f7cfbb33c90bdec9891ad50ba3fbb34fb71951190c3ae0b87bc0ae83584717e3cfb2e5716e5bd8eb60b5de47d149a1137ce475d0eee4b9041

              • C:\Users\Admin\AppData\Local\Temp\is-G5K55.tmp\Setup.tmp

                Filesize

                2.9MB

                MD5

                e24bd9240e36e3bbbcea12724312e906

                SHA1

                a8833cec7f5970bcb764208e1c4f796b470e2c28

                SHA256

                3ed060f37e416e0e1eec2e543789464444873674e3fea897ae3e96f06eba1882

                SHA512

                949c16e1dca374be474434295f87f306fe704596dada7c9690c143504c973a5899d5f3ccc33f6438a49147c9c91fba32f2ba8a3a2fade865d8fd45efddefc03d

              • C:\Users\Admin\AppData\Local\altar\file.eml

                Filesize

                921KB

                MD5

                3f58a517f1f4796225137e7659ad2adb

                SHA1

                e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                SHA256

                1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                SHA512

                acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

              • C:\Users\Admin\AppData\Local\altar\oviposition.a3x

                Filesize

                321KB

                MD5

                b4df5bf2538ca5881feffe7446db48df

                SHA1

                dfccce9f435b257a941b4da2d0a5d6743a5602ee

                SHA256

                c0e5948b525186302bac7a0b5e4d182ce600d43dde2fbd9818990bc1eaeae66f

                SHA512

                8a16cf8945f27164c1a7a924e4fe4aade4eb40f3668de9ff33315a5043a6c5f157d9ff3cb20f8ca21fd3ff258dd03eff65cf35d350f78c27b82dd776e2cbe40f

              • memory/1580-6-0x0000000000400000-0x00000000006F5000-memory.dmp

                Filesize

                3.0MB

              • memory/1580-16-0x0000000000400000-0x00000000006F5000-memory.dmp

                Filesize

                3.0MB

              • memory/2580-36-0x0000000000400000-0x00000000006F5000-memory.dmp

                Filesize

                3.0MB

              • memory/4532-15-0x0000000000400000-0x00000000004C2000-memory.dmp

                Filesize

                776KB

              • memory/4532-13-0x0000000000400000-0x00000000004C2000-memory.dmp

                Filesize

                776KB

              • memory/4532-39-0x0000000000400000-0x00000000004C2000-memory.dmp

                Filesize

                776KB

              • memory/4824-18-0x0000000000400000-0x00000000004C2000-memory.dmp

                Filesize

                776KB

              • memory/4824-1-0x0000000000400000-0x00000000004C2000-memory.dmp

                Filesize

                776KB

              • memory/4824-2-0x0000000000401000-0x00000000004A9000-memory.dmp

                Filesize

                672KB