Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

xd-AntiSpy_modern.zip

windows11-21h2-x64

1

Localizati...ry.dll

windows11-21h2-x64

1

Newtonsoft.Json.dll

windows11-21h2-x64

1

PluginInterface.dll

windows11-21h2-x64

1

lang.json

windows11-21h2-x64

3

plugins/Cl...e.json

windows11-21h2-x64

3

plugins/Fi...y.json

windows11-21h2-x64

3

plugins/Pl...er.dll

windows11-21h2-x64

1

plugins/Pl...er.ps1

windows11-21h2-x64

3

plugins/Pl...er.dll

windows11-21h2-x64

1

plugins/Pl...r.json

windows11-21h2-x64

3

plugins/Re...er.ps1

windows11-21h2-x64

8

plugins/Sn...t.json

windows11-21h2-x64

3

plugins/Un...ve.ps1

windows11-21h2-x64

8

plugins/Us...e.json

windows11-21h2-x64

3

plugins/Us...l.json

windows11-21h2-x64

3

xd-AntiSpy.exe

windows11-21h2-x64

xd-AntiSpy.png

windows11-21h2-x64

3

Analysis

  • max time kernel
    576s
  • max time network
    441s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/08/2024, 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plugins/Restart Explorer.ps1

  • Size

    497B

  • MD5

    2ebc3b277b6b0038b48f557507372a08

  • SHA1

    debaa00dbfa123ddf1d1d4d004250777f067d12b

  • SHA256

    ce31d19e4b3c0a707053dc081e109a465487f57b5180fb470be9ef75f391095d

  • SHA512

    45f79f41f42ad1901af650bdcb8237f494c8dda759efd21fe2f5d3591cd0b7e10e8f518c62c1b8b9dea4f1b4fc8907bc83446f53a1f72b1adce53f68709e2c5c

Score
8/10
executionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\plugins\Restart Explorer.ps1"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2644
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3380
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VDS50TL2\www.bing[1].xml
    Filesize

    2KB

    MD5

    029dba0e43ed561a7829fdbbf88f9de4

    SHA1

    60f9f87827a9f3328a300b3db8b12cc6ad0e4026

    SHA256

    1f1369fedc5441359c719c35d18cb5f272a1fa3cdf3b5be65d5961a7d14d4f0d

    SHA512

    881e070bb5984f613fed0a432dfe366f08ec58fbea034b7c6c10867de63de14edf7ba07c14f116fac9faa217de1071346332c919ff0261aab28817de894d869d

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VDS50TL2\www.bing[1].xml
    Filesize

    17KB

    MD5

    69ec1673911ee458eeb1b68e53959c40

    SHA1

    91e2f61c07f60dd15fd6d2a1fe30aa0a5114a78f

    SHA256

    a96ca31d89705041c8d712fbddb0ff0189d66d12a55aa4e0e2dd0dd21642f14e

    SHA512

    1e3b45a444c817178fdce5213f9d2111bc1ab8ae965b3dc6a21085f329bdb20ca28672471b8803eaa0056f1b79bd3ff0889c869c95fa623b79ac0e78e5b1df7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3u42kdup.c3c.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1152-198-0x000001CF50EE0000-0x000001CF50FE0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1152-42-0x000001CF3A4B0000-0x000001CF3A5B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1152-93-0x000001CF4BC80000-0x000001CF4BD80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1152-111-0x000001CF3A670000-0x000001CF3A690000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1152-112-0x000001CF4D140000-0x000001CF4D160000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1152-113-0x000001CF4D850000-0x000001CF4D870000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3080-11-0x00007FFCFBB50000-0x00007FFCFC612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3080-12-0x00007FFCFBB50000-0x00007FFCFC612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3080-10-0x00007FFCFBB50000-0x00007FFCFC612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3080-0-0x00007FFCFBB53000-0x00007FFCFBB55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3080-9-0x000001762BD20000-0x000001762BD42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3080-308-0x00007FFCFBB50000-0x00007FFCFC612000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3080-311-0x00007FFCFBB50000-0x00007FFCFC612000-memory.dmp

    Filesize

    10.8MB

    Download