Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

xd-AntiSpy_modern.zip

windows11-21h2-x64

1

Localizati...ry.dll

windows11-21h2-x64

1

Newtonsoft.Json.dll

windows11-21h2-x64

1

PluginInterface.dll

windows11-21h2-x64

1

lang.json

windows11-21h2-x64

3

plugins/Cl...e.json

windows11-21h2-x64

3

plugins/Fi...y.json

windows11-21h2-x64

3

plugins/Pl...er.dll

windows11-21h2-x64

1

plugins/Pl...er.ps1

windows11-21h2-x64

3

plugins/Pl...er.dll

windows11-21h2-x64

1

plugins/Pl...r.json

windows11-21h2-x64

3

plugins/Re...er.ps1

windows11-21h2-x64

8

plugins/Sn...t.json

windows11-21h2-x64

3

plugins/Un...ve.ps1

windows11-21h2-x64

8

plugins/Us...e.json

windows11-21h2-x64

3

plugins/Us...l.json

windows11-21h2-x64

3

xd-AntiSpy.exe

windows11-21h2-x64

xd-AntiSpy.png

windows11-21h2-x64

3

Analysis

  • max time kernel
    586s
  • max time network
    443s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/08/2024, 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plugins/Uninstall OneDrive.ps1

  • Size

    2KB

  • MD5

    d3228595fe69c9f115e84592c6a70e48

  • SHA1

    6795f195012476b278b1dee2766d8e62df96d0a7

  • SHA256

    945f7e685db6fc568cc8eb114b4d54dd7d1d5feb0879c84fe3f82ed786ae3b8d

  • SHA512

    5fae9274601b7bbfd8d3ec2ecba984e59dbfd20a8c31d5bd3bf8f32de9c004916ecea6328db2b1dfb5e2fc9737dbdf769104afe2c8f7476d695dd3b1d3827554

Score
8/10
discoveryexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\plugins\Uninstall OneDrive.ps1"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /F /IM OneDrive.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4992
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /F /IM explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\SysWOW64\OneDriveSetup.exe
        "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-3761892313-3378554128-2287991803-1000
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3912
      • C:\Windows\SysWOW64\OneDriveSetup.exe
        C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
        3⤵
        • Modifies system executable filetype association
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:456
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" load hku\Default C:\Users\Default\NTUSER.DAT
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4004
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" delete HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
      2⤵
        PID:5040
      • C:\Windows\system32\reg.exe
        "C:\Windows\system32\reg.exe" unload hku\Default
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4856
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3936
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1864
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2660
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4936

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Event Triggered Execution

    2
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Event Triggered Execution

    2
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    4
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
      Filesize

      77B

      MD5

      3c0a69567e7844018081649337d97e21

      SHA1

      9f46eefee1290ef51006efce776bf95c8ceb27f1

      SHA256

      2b6a68c75f693a3d1761b00a7b05f050524a62f8382b6bb385597dab767df3ec

      SHA512

      12ad0349ca56bf51db60b408743c70ba99fde828bb831db2d13a577e6cc241691b778a1bb5cb7df095aaf10694c1fa30162135b6bb8323927726381d9807e8b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZTZW67SQ\www.bing[1].xml
      Filesize

      15KB

      MD5

      5a903d5d01b602b10524c4ae79ec13ca

      SHA1

      fc81d87bab4beb0ae7da52358063e9427ce4cc38

      SHA256

      ed48bdaabadd8bec92a245b3b39491384f1bf59949eb33c0d60aee7d08bbd11f

      SHA512

      5755e07cd0254bf6f80dd26e2512bd33281189cc3b3bcaf28dc994610d7dd87e062203cabab40e5e431e1e6b6d590a28b09e19fcfc8e6bc146fa6151b3f4ab40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hn24rbir.tt3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aria-debug-3912.log
      Filesize

      470B

      MD5

      77f3b4ac272afae22d8d9503b4fa3fe5

      SHA1

      668d5dfeee94757692aeaedda32fa817ebb2fbe1

      SHA256

      4e0bdd45b3ab7f5114b767862b46790df33c08ed48f37201d205e1603843a50b

      SHA512

      a05b7a44ef2af0dc62b02e57d43b82006d27d0952fc71abd5aeb9bc41087700709541272ac57cbb5da25e0719c90978f0c47e49444117710d8937e21ad102919

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aria-debug-456.log
      Filesize

      470B

      MD5

      e585c392b9e16b15d52120e88ec5b82b

      SHA1

      d7a39dd74be17df661c44933232291124420c2ee

      SHA256

      8217d5414e81cfa7f4190266cb9d7838a664841d121508a97aa0d81bcd937e5d

      SHA512

      2b48cad71d83d68a94ff98c3b6c1718e210ea138b1b049fed4dba456566293d01a6fc24c009a58ef3c6f426bcb8772608629928fed3c6933f284f77a348ad10d

      Download Submit

    • memory/1864-201-0x000001A3DA9D0000-0x000001A3DA9F0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1864-156-0x000001A3CA540000-0x000001A3CA560000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1864-29-0x000001A3A7E00000-0x000001A3A7F00000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1864-286-0x000001A3DF800000-0x000001A3DF900000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1864-71-0x000001A3C9CF0000-0x000001A3C9DF0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1864-200-0x000001A3C9C90000-0x000001A3C9CB0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1864-182-0x000001A3DB9C0000-0x000001A3DBAC0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4916-13-0x00007FFAA6C30000-0x00007FFAA76F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-10-0x00007FFAA6C30000-0x00007FFAA76F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-11-0x00007FFAA6C30000-0x00007FFAA76F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-0-0x00007FFAA6C33000-0x00007FFAA6C35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4916-12-0x00007FFAA6C30000-0x00007FFAA76F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-6-0x000002317B9A0000-0x000002317B9C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4916-376-0x00007FFAA6C30000-0x00007FFAA76F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-375-0x00007FFAA6C33000-0x00007FFAA6C35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4916-379-0x00007FFAA6C30000-0x00007FFAA76F2000-memory.dmp

      Filesize

      10.8MB

      Download