Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

GDIVirus.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    370s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GDIVirus.exe

  • Size

    20KB

  • MD5

    91b4cf93f0a7a2c60486fcc0229b9106

  • SHA1

    3e9ba292aaf8e1877de10316839dfd2fa9a7c25c

  • SHA256

    c0a9799f5f3d46d2d94b168191d426b4075e6fa2ae32b19e75e3474850c8dac5

  • SHA512

    e9ddf7fa72a52471f30060f3271b7b159d98fd5e6c78dba831c275cefadd2c8c81556009258fad07e1a0147ff992aa2a89f9db576202a9c9b2fba5e5442dd8f8

  • SSDEEP

    384:pco2viW/M3hFTJpqgsWlOkl4lFlQHKL239Q15EQGMRBE4hJ1Jbwi1:pcoKifpq4tofKG/vVbV

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GDIVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\GDIVirus.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4496
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1808
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:396
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:452
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2624
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2000
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:4904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4496-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4496-1-0x0000000000240000-0x000000000024C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4496-2-0x0000000005300000-0x00000000058A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4496-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4496-4-0x0000000074FC0000-0x0000000075770000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-5-0x00000000050D0000-0x00000000050DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4496-6-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4496-7-0x0000000074FC0000-0x0000000075770000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-8-0x0000000074FC0000-0x0000000075770000-memory.dmp

      Filesize

      7.7MB

      Download