Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
Resource
win10v2004-20240802-en
General
-
Target
5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
-
Size
2.8MB
-
MD5
6b2267b9f4c66d603cc5acc082885101
-
SHA1
8d491e53b1b8e6ea33796f414b45990ead605fe9
-
SHA256
5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0
-
SHA512
6892073c1406de20a5845c5c8c7dccea8f507a67b11d7ad39bc610ed9981ce7a59a2d969891d561f7177f9fed3b877236167474d9a9e81bfd2def0eb88301bbb
-
SSDEEP
49152:1ILPyH0RhohKKNZarfmNVgzzzk43kdn9ZBsnx9z3jglT:1ynvslNZBUzzz30VynxNTg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe -
Executes dropped EXE 3 IoCs
pid Process 1904 PostUpdate.exe 5092 bitsumsessionagent.exe 2184 processlasso.exe -
Loads dropped DLL 4 IoCs
pid Process 1904 PostUpdate.exe 1904 PostUpdate.exe 2184 processlasso.exe 2184 processlasso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PostUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PostUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processlasso.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processlasso.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5092 bitsumsessionagent.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2184 processlasso.exe Token: SeDebugPrivilege 2184 processlasso.exe Token: SeChangeNotifyPrivilege 2184 processlasso.exe Token: SeIncBasePriorityPrivilege 2184 processlasso.exe Token: SeIncreaseQuotaPrivilege 2184 processlasso.exe Token: SeCreateGlobalPrivilege 2184 processlasso.exe Token: SeProfSingleProcessPrivilege 2184 processlasso.exe Token: SeBackupPrivilege 2184 processlasso.exe Token: SeRestorePrivilege 2184 processlasso.exe Token: SeShutdownPrivilege 2184 processlasso.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4868 wrote to memory of 1904 4868 5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe 87 PID 4868 wrote to memory of 1904 4868 5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe 87 PID 1904 wrote to memory of 2184 1904 PostUpdate.exe 90 PID 1904 wrote to memory of 2184 1904 PostUpdate.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe"C:\Users\Admin\AppData\Local\Temp\5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\processlasso.exe/postupdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exeC:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
671KB
MD5872fa39795ce83c7ba2017490fc1df53
SHA1cb6ab126ee845908953fc320999f5a90dd8df80d
SHA2563ebfaaa7fde24b2641a61a124c71d4208c9fc56816ef7878496ffbb372d2e791
SHA5125485dbc789777d6fea201cc295127060699bcbd671176e6f4a8e832a515f8ba78f1f883ffb70a5e5dd95c64767516e9e699a4dc2d1452ab76a0ba4ed3da89f7b
-
Filesize
471KB
MD55803266c30119e9a971dd1c4494702df
SHA1c27517cc3108ba6c4854eb7ab41758c92851143c
SHA256628a65dc11c4b55b43eea2c4681eb60f949c13cfdf2d449e963884405d78caa4
SHA512612e9b16bd0ab611450e27d174699fdfc6dfece67f51ce9ba7cbe565424950acf54d5108bd11f8c91397657b0a85681b056a504585b963b87225f77af49ec26f
-
Filesize
177KB
MD52afabffcbaa641c40f431fdc296201b6
SHA167e62a3c83bcf5d52a6fe85aeeaa5637c07da090
SHA25624aaf69bf5a25380f8c76267119f91e8e70c1b14192826eaebb56d999b06ce92
SHA512a55340d035ed5a4ecf888a3c3a9de8ebb6759fbf62fc91c4a84aeb4d47da9063e9d8e53f4d32b1e35841cff4a1cdb45eb1d7ff8a668e85b18a22541156b7be88
-
Filesize
1.9MB
MD524dfa3d9b685b41d88f11ece73522546
SHA1398a18644e23e228837601d01ed3ded2f4b00400
SHA256619b5756154763fa227f51bcd686f8827c0ee4dcc325e182681f5244df78ca11
SHA512fdf5399d8af185190e93bb1c098006e39bf83b9a57a582f8e87ba9611c541acbd46c3f4060e19c837cac0ce2cd3de248a63acfe55f192941b2b478490cd99b8f
-
Filesize
1.8MB
MD52a16f331a6c1c5d4ed95325ce6726174
SHA147059814aa82669246dd0b7d3b8d3ab86d28f950
SHA2568a9a1d7a2a984d020fb2313acf87d5954c9f4fc803fc6e04a516c29b005e9410
SHA512faf558fb72704547cbbbd68de4d2ddb956a93fde2735531d4c226e67224835fd13b1720dad1b5bdb6a3e0d144c6a80cf0aa0ae6766487ea6d31b8c9aa5d8ddae