Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
3551037b428548213f880ee755ca2390N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3551037b428548213f880ee755ca2390N.exe
Resource
win10v2004-20240802-en
General
-
Target
3551037b428548213f880ee755ca2390N.exe
-
Size
422KB
-
MD5
3551037b428548213f880ee755ca2390
-
SHA1
559ac9a2afd252e1e42c29d329272ab44cd889e8
-
SHA256
8a1bfbc22006c9c49579fb9e101c4a5fb75c071b13b05a743aa28e4541976461
-
SHA512
e310e2d2f969902ae7dd4746dab6c72ae7b86684334c903d70660a45fdfcefb178ceec491f17cb9d7aaf9813b35e71d5c425ef2e3277eb26c31af920c783feee
-
SSDEEP
3072:AYLf3GqW1ywnfwdiEu6+7UPToMVsPARgW/TCD5uSYzZPXQKlU2k7HoZ7WK7TxqNo:AirW1n4d//PTJOYRgsTxFxU27WGYhRnC
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 3551037b428548213f880ee755ca2390N.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation pl4sfx.exe -
Executes dropped EXE 4 IoCs
pid Process 2352 pl4sfx.exe 60 PostUpdate.exe 1688 bitsumsessionagent.exe 2852 processlasso.exe -
Loads dropped DLL 4 IoCs
pid Process 60 PostUpdate.exe 60 PostUpdate.exe 2852 processlasso.exe 2852 processlasso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3551037b428548213f880ee755ca2390N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pl4sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PostUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsumsessionagent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language processlasso.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PostUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PostUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processlasso.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processlasso.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 bitsumsessionagent.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2852 processlasso.exe Token: SeDebugPrivilege 2852 processlasso.exe Token: SeChangeNotifyPrivilege 2852 processlasso.exe Token: SeIncBasePriorityPrivilege 2852 processlasso.exe Token: SeIncreaseQuotaPrivilege 2852 processlasso.exe Token: SeCreateGlobalPrivilege 2852 processlasso.exe Token: SeProfSingleProcessPrivilege 2852 processlasso.exe Token: SeBackupPrivilege 2852 processlasso.exe Token: SeRestorePrivilege 2852 processlasso.exe Token: SeShutdownPrivilege 2852 processlasso.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4420 wrote to memory of 2352 4420 3551037b428548213f880ee755ca2390N.exe 88 PID 4420 wrote to memory of 2352 4420 3551037b428548213f880ee755ca2390N.exe 88 PID 4420 wrote to memory of 2352 4420 3551037b428548213f880ee755ca2390N.exe 88 PID 2352 wrote to memory of 60 2352 pl4sfx.exe 92 PID 2352 wrote to memory of 60 2352 pl4sfx.exe 92 PID 2352 wrote to memory of 60 2352 pl4sfx.exe 92 PID 60 wrote to memory of 2852 60 PostUpdate.exe 95 PID 60 wrote to memory of 2852 60 PostUpdate.exe 95 PID 60 wrote to memory of 2852 60 PostUpdate.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\3551037b428548213f880ee755ca2390N.exe"C:\Users\Admin\AppData\Local\Temp\3551037b428548213f880ee755ca2390N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe"C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\processlasso.exe/postupdate4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exeC:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
627KB
MD576a0b3c6a81a8b8c454c9a9d26e60b01
SHA1363985917da4235e1af5c305f8413cdf23d96821
SHA2567656417fecc53631a163061c9ec14bcdf286d1a5a5364eef34963c3a836722d6
SHA5126bc4a9f616c847ed92cbbd882c47b8953efea5d97ac023f2525784eaf6e940686f2ddd1bea2a55134ace10e7de72fa58c02912ca6c6e5005d5a2997b6bf5f34e
-
Filesize
1.6MB
MD50790562361cf733a7ec381a83b815681
SHA17a9364049718b6a26141d717b4c918cc22084d77
SHA256f44308768b7145b11a9ce52426528c88e221b47fe8d4145f066e734e1c60eaee
SHA512a6bc71fc5de83228ebb6184e9469165de0bac201d488ac41011acdcdc0c1a6bcedac62b0e10880639027459a1a15422156ae43a05d808901975467b3f5cb2bbf
-
Filesize
422KB
MD5d720f448ea02b3c7e2b7291b40f31ac3
SHA12035ce95916c1d95867d0a6bc035cee068f84d30
SHA256f8d3768681d2de474fc78da649ce02662d1760b8cb139b8158e1438cafd42baa
SHA5125a021ce5d0b0790efcb560b7089404b744080b1f9f8e5fd05aaf9d557b25b6c9e649ef69a9a83261d0a3f1a368b2898341929477ffa774c8dde6cd97e42efcc1
-
Filesize
2.6MB
MD5898a1344f19966a14a8c087ffc7226db
SHA188882e1f04d793f4d2e1855b6c70174f08fbb8fb
SHA256ef28f9534b9f44f6010337b7323c9afbf647248bda524216103b797972e5ca49
SHA512812716ee4e5f379a809ece3b48eb797f448ff52aa250c4bfc5c4111c8c63d19c9dd92eab2d299a7848206d959a577cf3cf1b0120429535c4040a4473732d463f
-
Filesize
141KB
MD59fea26f0f8751f6c32f9b4e47b5b957e
SHA1f75de183a1580d8662da086c72eeaa4aab7c21be
SHA256562937de703f04771ccd4e7bb0c3ffc38c22d2e2bb44d8a7dfd0a7663a6c6e8b
SHA512e4421b9fb4c0c6b6514715353126eec1e4a61a28e36ba49b77a8842988e40a606ecab1096f7aaf1e5e44c0547732616bf5b0a672974086d0fb673a5033aa4d11
-
Filesize
1.9MB
MD5ff7ffcf822b20dd46a6ff87868e8e3ec
SHA12bf83ae40009f2b365eba6a339b93626dde1d8a0
SHA2560d5e766156f38a7a626e9bd101bb8010cf480b7d0d6c2a2c9391ed1e854493b2
SHA512474a487e937d461ef3391ccf6a9ab678a3b5218e1768b22272b74a9fafe8144dcf6318258a7b9e8883e61f144c30676eee64af3573bef6ac18f122b1ebaea770