Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

02/09/2024, 09:53

240902-lw23zaxemk 6

02/09/2024, 09:39

240902-lmr7eaybpb 8

Analysis

  • max time kernel
    109s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 09:53

Errors

Reason
Machine shutdown

General

  • Target

    RobloxScreenShot20240816_143121489.png

  • Size

    767KB

  • MD5

    34e193a8213126c80788e468e60d491a

  • SHA1

    3c2cef83427a0ae53c7928f4a51a4b740aaed246

  • SHA256

    99768802974637b8f9aa0abc825fe2f8b3fb42a2be83c203cd16e2d27f92e828

  • SHA512

    21f15bb505a10f7df209a8de86de818c726081bae4e734786e9a5a48e8c59070edb7536a7c66b8f69a30df4d119a1e9dcaf2ec0a5778bee0bac4764c9d9c254f

  • SSDEEP

    12288:TAydlJqixZJt2I912L1Bb0wUijRjkb4AMCT1ZxE7VuiVFDIzEd8y1STVv:r5ZJtB9125Bb2eeXMuHE7Vu+/d8yMv

Malware Config

Signatures

  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RobloxScreenShot20240816_143121489.png
    1⤵
      PID:112
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
      1⤵
        PID:2712
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Drops desktop.ini file(s)
        • Checks processor information in registry
        • Modifies registry class
        PID:2724
      • C:\Windows\system32\osk.exe
        "C:\Windows\system32\osk.exe"
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1272
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2b4 0x338
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1424
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3922055 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4472

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Videos\Captures\desktop.ini

        Filesize

        190B

        MD5

        b0d27eaec71f1cd73b015f5ceeb15f9d

        SHA1

        62264f8b5c2f5034a1e4143df6e8c787165fbc2f

        SHA256

        86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

        SHA512

        7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c