Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    35s
  • max time network
    31s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/08/2024, 00:03

General

  • Target

    Monolith.exe

  • Size

    3.9MB

  • MD5

    07dc38e53039d72d14e1cbca9856ba5b

  • SHA1

    d3a981998c26f59d08090150a813d5ab27e53526

  • SHA256

    d7435449ef4aecbd126115316045b002cb5aecfbcd6cbed9f3cbe62114502060

  • SHA512

    0b96bd20778d8524602de2ce6027500d8412b5fc8d00d3af34a954b55c82cc9d59fc988ffbf78a9e3866dae8862158ca31f1bd5e516527a8857d240f2df4c465

  • SSDEEP

    98304:uw8woLTfmptqpaKjSVO+Pm5hXvAPAtXI08y4OfcswrxhKAqLB/JsSYOkM:uwuH+pMP4Pk9vuAtXp8HOkBdhpqBJWQ

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Monolith.exe
    "C:\Users\Admin\AppData\Local\Temp\Monolith.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rpgq7aKtBD
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffd86373cb8,0x7ffd86373cc8,0x7ffd86373cd8
        3⤵
          PID:4492
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
          3⤵
            PID:576
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
            3⤵
              PID:4820
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
              3⤵
                PID:3388
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                3⤵
                  PID:1476
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                  3⤵
                    PID:3288
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
                    3⤵
                      PID:2780
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:1416
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:904

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      3e2612636cf368bc811fdc8db09e037d

                      SHA1

                      d69e34379f97e35083f4c4ea1249e6f1a5f51d56

                      SHA256

                      2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

                      SHA512

                      b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      e8115549491cca16e7bfdfec9db7f89a

                      SHA1

                      d1eb5c8263cbe146cd88953bb9886c3aeb262742

                      SHA256

                      dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

                      SHA512

                      851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      da1796719a8b3e4401e14594e9d552a5

                      SHA1

                      92a2071aa2a782603044d1d8eb47a8be3d72ec1d

                      SHA256

                      3bb92ec281f6b2061ef9f3d4cef6949fd2494df37851d5289b6d8147b626aa49

                      SHA512

                      27d6a5b544bcfa9c7a087c168a703cba93251c420d058d886fbe9a34b16280f4ab1ff1b3fef7815b9db4b19e63df6a1565a3ad9fe6d02b58f3c3cc7711ad340f

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      6KB

                      MD5

                      70f3bdcc19980aa7fdfa8d01eac87055

                      SHA1

                      156d6804747f3749528e9b46c5e5616e65f8915a

                      SHA256

                      8b07baeb43b939b23501809e84df2ec6ddb14fd128eed26f16b453d48ac0a682

                      SHA512

                      27717c6b4392cfe92572e49e61f18a00840f5a20c387890b6dadb0a1a9b964e9bad7ec140a989a80fbc716b77314f55f63c1c95b82e34671d1edd5f0691bff3b

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                      Filesize

                      10KB

                      MD5

                      0c0c9b70eb7c400ece5f57c04f1dc622

                      SHA1

                      b6778b7461f25a64f6964f982bafbec54a19d5a6

                      SHA256

                      3bddb87bbcfe121483475ca61707844685101aa5b5aa57b3848505c1c07da847

                      SHA512

                      8f6b1d91e6bbbcbc708265e8a454bd3d43ffcd75d6fb5648a56baded9743542b2c2be9b5a46fb4f31683d0a4a73bf462cd6c5b241602d3ffa1a2398777edac55

                    • memory/2740-2-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB

                    • memory/2740-0-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB

                    • memory/2740-32-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB

                    • memory/2740-33-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB

                    • memory/2740-3-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB

                    • memory/2740-1-0x00007FFD96027000-0x00007FFD96029000-memory.dmp

                      Filesize

                      8KB

                    • memory/2740-50-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB

                    • memory/2740-60-0x0000000140000000-0x0000000140A49000-memory.dmp

                      Filesize

                      10.3MB