Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 13:36

General

  • Target

    3551037b428548213f880ee755ca2390N.exe

  • Size

    422KB

  • MD5

    3551037b428548213f880ee755ca2390

  • SHA1

    559ac9a2afd252e1e42c29d329272ab44cd889e8

  • SHA256

    8a1bfbc22006c9c49579fb9e101c4a5fb75c071b13b05a743aa28e4541976461

  • SHA512

    e310e2d2f969902ae7dd4746dab6c72ae7b86684334c903d70660a45fdfcefb178ceec491f17cb9d7aaf9813b35e71d5c425ef2e3277eb26c31af920c783feee

  • SSDEEP

    3072:AYLf3GqW1ywnfwdiEu6+7UPToMVsPARgW/TCD5uSYzZPXQKlU2k7HoZ7WK7TxqNo:AirW1n4d//PTJOYRgsTxFxU27WGYhRnC

Score
6/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3551037b428548213f880ee755ca2390N.exe
    "C:\Users\Admin\AppData\Local\Temp\3551037b428548213f880ee755ca2390N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
        "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Users\Admin\AppData\Local\Temp\processlasso.exe
          /postupdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2852
  • C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
    C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

    Filesize

    627KB

    MD5

    76a0b3c6a81a8b8c454c9a9d26e60b01

    SHA1

    363985917da4235e1af5c305f8413cdf23d96821

    SHA256

    7656417fecc53631a163061c9ec14bcdf286d1a5a5364eef34963c3a836722d6

    SHA512

    6bc4a9f616c847ed92cbbd882c47b8953efea5d97ac023f2525784eaf6e940686f2ddd1bea2a55134ace10e7de72fa58c02912ca6c6e5005d5a2997b6bf5f34e

  • C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

    Filesize

    1.6MB

    MD5

    0790562361cf733a7ec381a83b815681

    SHA1

    7a9364049718b6a26141d717b4c918cc22084d77

    SHA256

    f44308768b7145b11a9ce52426528c88e221b47fe8d4145f066e734e1c60eaee

    SHA512

    a6bc71fc5de83228ebb6184e9469165de0bac201d488ac41011acdcdc0c1a6bcedac62b0e10880639027459a1a15422156ae43a05d808901975467b3f5cb2bbf

  • C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

    Filesize

    422KB

    MD5

    d720f448ea02b3c7e2b7291b40f31ac3

    SHA1

    2035ce95916c1d95867d0a6bc035cee068f84d30

    SHA256

    f8d3768681d2de474fc78da649ce02662d1760b8cb139b8158e1438cafd42baa

    SHA512

    5a021ce5d0b0790efcb560b7089404b744080b1f9f8e5fd05aaf9d557b25b6c9e649ef69a9a83261d0a3f1a368b2898341929477ffa774c8dde6cd97e42efcc1

  • C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe

    Filesize

    2.6MB

    MD5

    898a1344f19966a14a8c087ffc7226db

    SHA1

    88882e1f04d793f4d2e1855b6c70174f08fbb8fb

    SHA256

    ef28f9534b9f44f6010337b7323c9afbf647248bda524216103b797972e5ca49

    SHA512

    812716ee4e5f379a809ece3b48eb797f448ff52aa250c4bfc5c4111c8c63d19c9dd92eab2d299a7848206d959a577cf3cf1b0120429535c4040a4473732d463f

  • C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

    Filesize

    141KB

    MD5

    9fea26f0f8751f6c32f9b4e47b5b957e

    SHA1

    f75de183a1580d8662da086c72eeaa4aab7c21be

    SHA256

    562937de703f04771ccd4e7bb0c3ffc38c22d2e2bb44d8a7dfd0a7663a6c6e8b

    SHA512

    e4421b9fb4c0c6b6514715353126eec1e4a61a28e36ba49b77a8842988e40a606ecab1096f7aaf1e5e44c0547732616bf5b0a672974086d0fb673a5033aa4d11

  • C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

    Filesize

    1.9MB

    MD5

    ff7ffcf822b20dd46a6ff87868e8e3ec

    SHA1

    2bf83ae40009f2b365eba6a339b93626dde1d8a0

    SHA256

    0d5e766156f38a7a626e9bd101bb8010cf480b7d0d6c2a2c9391ed1e854493b2

    SHA512

    474a487e937d461ef3391ccf6a9ab678a3b5218e1768b22272b74a9fafe8144dcf6318258a7b9e8883e61f144c30676eee64af3573bef6ac18f122b1ebaea770