Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
Resource
win10v2004-20240802-en
General
-
Target
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
-
Size
2.8MB
-
MD5
801d390b7b0ca5d3416d439b1be79851
-
SHA1
5efad1401b5f58d4c4d78d5a9bc502fe8a236d0b
-
SHA256
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46
-
SHA512
a898e176b0443fbe824ecada1113d889405f8801db982fb2d95001b39d03d5f392b39cc9312d08f0c93fea91ea18c7817bb1b0460199e66fc99dfae5507c739c
-
SSDEEP
49152:9ILoHVHpGzM3pnvGX/KCYkWHGjkf8dE+EP59OQYmzG9jEaPjD:9nVH4zM3hvmBYkWHlUm+E37zvaPjD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe -
Executes dropped EXE 3 IoCs
pid Process 3064 PostUpdate.exe 4088 bitsumsessionagent.exe 752 processlasso.exe -
Loads dropped DLL 4 IoCs
pid Process 3064 PostUpdate.exe 3064 PostUpdate.exe 752 processlasso.exe 752 processlasso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PostUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processlasso.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processlasso.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PostUpdate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4088 bitsumsessionagent.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 752 processlasso.exe Token: SeDebugPrivilege 752 processlasso.exe Token: SeChangeNotifyPrivilege 752 processlasso.exe Token: SeIncBasePriorityPrivilege 752 processlasso.exe Token: SeIncreaseQuotaPrivilege 752 processlasso.exe Token: SeCreateGlobalPrivilege 752 processlasso.exe Token: SeProfSingleProcessPrivilege 752 processlasso.exe Token: SeBackupPrivilege 752 processlasso.exe Token: SeRestorePrivilege 752 processlasso.exe Token: SeShutdownPrivilege 752 processlasso.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4652 wrote to memory of 3064 4652 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 87 PID 4652 wrote to memory of 3064 4652 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 87 PID 3064 wrote to memory of 752 3064 PostUpdate.exe 91 PID 3064 wrote to memory of 752 3064 PostUpdate.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe"C:\Users\Admin\AppData\Local\Temp\27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\processlasso.exe/postupdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exeC:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663KB
MD55000a2d42cca6a1bdf9ffb8aa1cb822d
SHA11e4a93aa5b3575758d5e846ba5b1acc92f565743
SHA256605483056176f734a41450310d310d9f8c0a73c804ed43704e24de281529ef42
SHA512409d43c8f3012dad35c2d199f74ddb6c1b4969ab1217c5d6b8a4a91ba2824602472855c24f9d3182eee696beab37087cc8d7a55f6da460c4bc39505b85fef70b
-
Filesize
1.8MB
MD53d9da88f8becb31da8e56fdeab9a8fe8
SHA1325285a54a0383df37fde85412e1795875563de5
SHA2568b0cc8d11d271317701345ac352f161ad5f6034ab33f1f013a018695e53c269d
SHA5129b79ca8b35af0ba1f86398cae5533e361be5ea554eb18e570c29680599d98ec9bd44b3f6a47336fe2204e0d9229704f9b5a420f58e952989e1c3c0e05fe1eaae
-
Filesize
471KB
MD596bd05626377cce20ee7e2df1437dae8
SHA11833e1d76692945cadd5a5698442b130a9ea8da1
SHA256dc6b6a2533ae8e0dfd7b2ae74543930d37510fae7650ecf7395003729e574ab0
SHA5126155670ef2f5eecd24e1fba8d0dc25f0692345c098927a16771eb22df89df6757871816c5c73086b6b638f15beab78af5bc2c610eaddf2ee58e20788e0505d53
-
Filesize
177KB
MD549bdbe44059c0418f5cdc2276f8525fe
SHA1f6f571cb3e0f3d3a8722038221166546165517b0
SHA256c1872a10303a9403059bccdd70265c6dcc09a71cdc7592715bb5042a5095c579
SHA512ebaf1d0a3c3c6b3c8a9030bb49b23ce043604c339b98743291d886b8da92a48038bd28a2c91e5285c1220554d49386e5f9dee73bf0902ce9396bb13f1ed92bd8
-
Filesize
1.9MB
MD5585ce7942546e10d1b97c764f84117af
SHA12741fe86935554dde6ab62e9a3365a6c0b7b28db
SHA256a03b63926a6e07486a5f0151a3a9f8d361e639b56c6f4565abb55393267598c1
SHA512d789369a5adba5717ccf0575c194b011a5e5aa6449341927c0dc39d4c76d29f270425f0372ba5f87c5e0d01d1e2bf1288f1f91456b9154945d648ca67367f43f