Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 10:11

General

  • Target

    de2858ef35c83552b8dbd001944a4110N.exe

  • Size

    717KB

  • MD5

    de2858ef35c83552b8dbd001944a4110

  • SHA1

    dee07648c9bcecab3c13fe06f288226b30c575ec

  • SHA256

    ba715b42b9b023c81247b5d7c834f3b896fc658c1ffc563f4d3fe3d76e161b1a

  • SHA512

    40919c8b638bcb395412d4b18dd3e765ad4b2c8150a6d2e5b46dcde0d8d76b8f1cd55fe335a42d929bf4daa374584bd52797d19456c80775cff80f96cd3ce5f1

  • SSDEEP

    12288:/MHL/AmVt07kw3jl2tBds5IBjxMbJxuz+N1qqQD:EdVql3CBdxqTm+fgD

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 38 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops desktop.ini file(s) 57 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 26 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe
    "C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4976
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3900
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Executes dropped EXE
        PID:3192
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F974E26C10B80C216EF947A05624570D C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSIC767.tmp

    Filesize

    225KB

    MD5

    d711da8a6487aea301e05003f327879f

    SHA1

    548d3779ed3ab7309328f174bfb18d7768d27747

    SHA256

    3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

    SHA512

    c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

  • C:\Windows\AE 0124 BE.msi

    Filesize

    717KB

    MD5

    8c6fd0a6356482d4dc1cf1626fb4cc43

    SHA1

    be14941d6f31819364945356c5040fcc9a77853e

    SHA256

    8faa33bc99d73199a08a9ee7f08ea6cffc3e720066056e46656481322ed728b6

    SHA512

    d8dbfc2b6cfabea4a15c0b5ec3103a00ca1ded0d0bfab82f60d436b791e870259aef8baca0d45a292764404e90d006958454774e7a72e7f24d8b6c02cbe9fabf

  • C:\Windows\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    130KB

    MD5

    a1f4f4e347219a8a6aa41290d11dab29

    SHA1

    97ae21420cfb4e2171416c77ada55117e175f894

    SHA256

    46bca533820fecc770e44ab426451cd70a3868f063a5ff4e6512bacda5aabb31

    SHA512

    967110a03247ae35b30ffbbf10fc77de8f0c149db8b2f0b14c3c636ff8aa7564ff21eef0490dc2bde4dc5fd1f7dc06cb73b56db9115ab3fbdb1a43d597a4e76b

  • C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.002

    Filesize

    256KB

    MD5

    2e8a61cdeabfc5cac0157f5c4f2664fd

    SHA1

    2a1e7c768e8f1e00a8b65346268ea47477159d8e

    SHA256

    94110f8f3625fd371d228f0b55e313baeff9c6556ea29be13b6a8c9768381a64

    SHA512

    24b1fda4c686edce4a36048858563f22c8fa513d765ab3614c29188e6aaa7c4cbb1d8ae22ad61f51129e5c75f20acfd76f1ed03992ee7be65013c740940fe58f

  • \??\c:\B1uv3nth3x1.diz

    Filesize

    21B

    MD5

    9cceaa243c5d161e1ce41c7dad1903dd

    SHA1

    e3da72675df53fffa781d4377d1d62116eafb35b

    SHA256

    814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

    SHA512

    af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b