Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 14:05

General

  • Target

    AspSWeb.exe

  • Size

    688KB

  • MD5

    3b12a13eedbe6e6816f3cb62baf8751a

  • SHA1

    d02c4b830efa1cbce5ec39f71a2290a4d9ccb7e9

  • SHA256

    e6a580c6ed95ffb1a29f4a862370db60ea2295d75e3100b987196361f403d187

  • SHA512

    071220c5c2d6d05fb79ae96a48069a18a698d983adef7f588ce7672dc16a380f1e180ba167d1c66bef76f5dc770bab3f66244d87f41d944252f69be919350cec

  • SSDEEP

    12288:7/JFZqYMOaQ0q9nV/zsnK23KHVI6nodVdyMLiqyVcxwtVxgpMiuzOT6:7BFZqhOBnVyK23C6OoYMLiVcKtVx4Mij

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AspSWeb.exe
    "C:\Users\Admin\AppData\Local\Temp\AspSWeb.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat /na
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat /na
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
    • C:\Windows\SysWOW64\TMPNB28.tmp
      C:\Windows\system32\TMPNB28.tmp -run C:\Users\Admin\AppData\Local\Temp\nb28.tmp
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2628
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
    1⤵
      PID:4240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nb28.tmp

      Filesize

      2KB

      MD5

      b9fabc9c8a8024d47651300032402d96

      SHA1

      f974e93bc3352b1e042ebdc6327cdc41e92d7ced

      SHA256

      e310a45cf5bda24644736a30880f1c2af8c3714831f14c25365ae12c30432a78

      SHA512

      6273d041544cf6c044d8b0fb19805fb8e407523de1b69af8ee77d80a7271cacab8abd752dd99351e7593388c87c0c94591f788c946343dfbd19436b431a9f7c4

    • C:\Windows\SysWOW64\TMPNB28.tmp

      Filesize

      633KB

      MD5

      3545fd00d2ba6c1c192b05bd75aa1f4f

      SHA1

      30fa4c33d66a073113d9d971baae38120d320601

      SHA256

      d6272081522372d09a11ca7c0825b8c6a743ba02b450cea1402c03a05f3e2159

      SHA512

      ab79f44e7c428ea0434bced04256174a7d87131ddef2488a71ca67e242bce9676cb88830779aa0a0c3d5b12e097bd32bb99a87c12a248329d9c8a52d777a1c85

    • memory/2628-6-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB

    • memory/2628-11-0x0000000000400000-0x0000000000597000-memory.dmp

      Filesize

      1.6MB