Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/08/2024, 00:03
Behavioral task
behavioral1
Sample
Monolith.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Monolith.exe
Resource
win10v2004-20240802-en
General
-
Target
Monolith.exe
-
Size
3.9MB
-
MD5
07dc38e53039d72d14e1cbca9856ba5b
-
SHA1
d3a981998c26f59d08090150a813d5ab27e53526
-
SHA256
d7435449ef4aecbd126115316045b002cb5aecfbcd6cbed9f3cbe62114502060
-
SHA512
0b96bd20778d8524602de2ce6027500d8412b5fc8d00d3af34a954b55c82cc9d59fc988ffbf78a9e3866dae8862158ca31f1bd5e516527a8857d240f2df4c465
-
SSDEEP
98304:uw8woLTfmptqpaKjSVO+Pm5hXvAPAtXI08y4OfcswrxhKAqLB/JsSYOkM:uwuH+pMP4Pk9vuAtXp8HOkBdhpqBJWQ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Monolith.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Monolith.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Monolith.exe -
resource yara_rule behavioral3/memory/2740-0-0x0000000140000000-0x0000000140A49000-memory.dmp themida behavioral3/memory/2740-3-0x0000000140000000-0x0000000140A49000-memory.dmp themida behavioral3/memory/2740-2-0x0000000140000000-0x0000000140A49000-memory.dmp themida behavioral3/memory/2740-32-0x0000000140000000-0x0000000140A49000-memory.dmp themida behavioral3/memory/2740-33-0x0000000140000000-0x0000000140A49000-memory.dmp themida behavioral3/memory/2740-50-0x0000000140000000-0x0000000140A49000-memory.dmp themida behavioral3/memory/2740-60-0x0000000140000000-0x0000000140A49000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Monolith.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 discord.com 16 discord.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2740 Monolith.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe 2740 Monolith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 1092 2740 Monolith.exe 83 PID 2740 wrote to memory of 1092 2740 Monolith.exe 83 PID 1092 wrote to memory of 4492 1092 msedge.exe 84 PID 1092 wrote to memory of 4492 1092 msedge.exe 84 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 576 1092 msedge.exe 85 PID 1092 wrote to memory of 4820 1092 msedge.exe 86 PID 1092 wrote to memory of 4820 1092 msedge.exe 86 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87 PID 1092 wrote to memory of 3388 1092 msedge.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Monolith.exe"C:\Users\Admin\AppData\Local\Temp\Monolith.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rpgq7aKtBD2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffd86373cb8,0x7ffd86373cc8,0x7ffd86373cd83⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:23⤵PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:83⤵PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵PID:2780
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1416
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53e2612636cf368bc811fdc8db09e037d
SHA1d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA2562eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d
-
Filesize
152B
MD5e8115549491cca16e7bfdfec9db7f89a
SHA1d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54
-
Filesize
5KB
MD5da1796719a8b3e4401e14594e9d552a5
SHA192a2071aa2a782603044d1d8eb47a8be3d72ec1d
SHA2563bb92ec281f6b2061ef9f3d4cef6949fd2494df37851d5289b6d8147b626aa49
SHA51227d6a5b544bcfa9c7a087c168a703cba93251c420d058d886fbe9a34b16280f4ab1ff1b3fef7815b9db4b19e63df6a1565a3ad9fe6d02b58f3c3cc7711ad340f
-
Filesize
6KB
MD570f3bdcc19980aa7fdfa8d01eac87055
SHA1156d6804747f3749528e9b46c5e5616e65f8915a
SHA2568b07baeb43b939b23501809e84df2ec6ddb14fd128eed26f16b453d48ac0a682
SHA51227717c6b4392cfe92572e49e61f18a00840f5a20c387890b6dadb0a1a9b964e9bad7ec140a989a80fbc716b77314f55f63c1c95b82e34671d1edd5f0691bff3b
-
Filesize
10KB
MD50c0c9b70eb7c400ece5f57c04f1dc622
SHA1b6778b7461f25a64f6964f982bafbec54a19d5a6
SHA2563bddb87bbcfe121483475ca61707844685101aa5b5aa57b3848505c1c07da847
SHA5128f6b1d91e6bbbcbc708265e8a454bd3d43ffcd75d6fb5648a56baded9743542b2c2be9b5a46fb4f31683d0a4a73bf462cd6c5b241602d3ffa1a2398777edac55