Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 19:51
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_Tool.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Defender_Settings.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Password.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Unlock_Tool_4.9.rar
Resource
win10v2004-20240802-en
General
-
Target
Unlock_Tool_4.9.rar
-
Size
43.3MB
-
MD5
12670d3b6559c28f0307d26002416964
-
SHA1
7a7769df937ebc9852b3bec429d1de3bd56ce015
-
SHA256
55812c82f255d2fa049e80d601f9bd3300ccbddbe2cdf97c29b7ae5e161092a0
-
SHA512
cd7737f409c38a705c1357450eb1788b0a7e2e6c2beb33c50c5a7f8c57c011ebf9c3f2b1a9567e51a5bc532a6a8fe8f0e5861ece6b152bffae9b2106430dde35
-
SSDEEP
786432:/2W85xHdbAXsgHqQCV0BiotGwIDxJOZW4jro72paQcyqJvCf8BrhDZAZj:/X85xHhAXpIo8wuxMZvvH0JKMrhNWj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4540 OpenWith.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe 4540 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_4.9.rar1⤵
- Modifies registry class
PID:2476
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4540
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2992