Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

6

Beholder_ ...re.zip

windows7-x64

1

Beholder_ ...re.zip

windows10-2004-x64

1

Android/ob...ee.zip

windows7-x64

1

Android/ob...ee.zip

windows10-2004-x64

1

assets/Logo/logo1.mp4

windows7-x64

1

assets/Logo/logo1.mp4

windows10-2004-x64

6

assets/Logo/logo2.mp4

windows7-x64

1

assets/Logo/logo2.mp4

windows10-2004-x64

6

assets/Uni...n.json

windows7-x64

3

assets/Uni...n.json

windows10-2004-x64

3

assets/bin...000000

windows7-x64

1

assets/bin...000000

windows10-2004-x64

1

assets/bin...6cd535

windows7-x64

1

assets/bin...6cd535

windows10-2004-x64

1

assets/bin...23b72b

windows7-x64

1

assets/bin...23b72b

windows10-2004-x64

1

assets/bin...247a10

windows7-x64

1

assets/bin...247a10

windows10-2004-x64

1

assets/bin...45cca7

windows7-x64

1

assets/bin...45cca7

windows10-2004-x64

1

assets/bin...65105d

windows7-x64

1

assets/bin...65105d

windows10-2004-x64

1

assets/bin...6d79f6

windows7-x64

1

assets/bin...6d79f6

windows10-2004-x64

1

assets/bin...9897ac

windows7-x64

1

assets/bin...9897ac

windows10-2004-x64

1

assets/bin...7bf85e

windows7-x64

1

assets/bin...7bf85e

windows10-2004-x64

1

assets/bin...29fc78

windows7-x64

1

assets/bin...29fc78

windows10-2004-x64

1

assets/bin...04a31f

windows7-x64

1

assets/bin...04a31f

windows10-2004-x64

1

Analysis

  • max time kernel
    135s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    assets/Logo/logo2.mp4

  • Size

    1.5MB

  • MD5

    e4313411208de6204df61a5e318255e9

  • SHA1

    a6285e81e2daedd2dff19136a58c9e4dfdf2f128

  • SHA256

    0636cff51545ad4a4a65d763d75b5f243e2fa228ccfbc205b1423df10c453665

  • SHA512

    9a0fc0aa94428ec3540cf7fbfcbeb3f799dfffb6a0dced68b9f876a9b42863074bd3c82c4d7b016bddd0488b36f37650c04215183412e1c7f8a8b0842e143a98

  • SSDEEP

    24576:cfOp3QWeWXns6RpzVwwJ7wNxPL+OX/wH8PQtlIfaSjJ:cmpAins6Rxq+wrPfhEIj

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\assets\Logo\logo2.mp4"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4332
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4c4 0x2ec
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    512KB

    MD5

    1baea65aba049862a6d7a18c00aa3302

    SHA1

    74ead72ed2952ed9ad645b2703d06673a566d75f

    SHA256

    a76033d434f2b88331aed83039bdfb958d0332d2afb97731d3b644c6b48d47d9

    SHA512

    a030ad3f821f6ed0e3371b55b00b33e14ae298a791b509d67ee0df40cf67020e2a8112f1474dd24d55e2aab0f16bc20450158da9b37cb439f87abfafe9f50d69

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    4e337519001b4be6989de464f1c6518f

    SHA1

    e9372e76332be83c7a76a86212714f1818051edc

    SHA256

    4318fba134261d4592b4b4eea1b9e8ab6d001cc957a7f849795a2a089e9e1e34

    SHA512

    64d865d37c672750c8c71fccfb4d5466ad5cddee806868083bed0033144c6b58642d7301a8dc3ddee342670b2c48ed424490d39f6f26cb72f7eeb485c4652989

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    d233ddee0a3e1785dbb9a01530bd7988

    SHA1

    ecd739b306e8e445fc62e0ebbfec1b9e15f2a574

    SHA256

    2f6625a8ff45683d0b16432bd6bea8b2baf1b982c3a834d457a28d3a7563ce94

    SHA512

    5c9862c4d280e59d6fdcf7c13624024fa2f34f63262b752a38b9015299429893737d15c850993285952c5c42ab689f91c55bd95aa9953376a6220ded9a2c0ed9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    5433eab10c6b5c6d55b7cbd302426a39

    SHA1

    c5b1604b3350dab290d081eecd5389a895c58de5

    SHA256

    23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

    SHA512

    207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    fd50d66b22f02f8fdd12295bbc76e1bf

    SHA1

    a21d39521eb572b230785c253d42fca8d02cd02c

    SHA256

    86f9b4a27283927da1aeea9eddc89fbfcc9f32b03ed9e672d77aa9256e65a22b

    SHA512

    b1904cf291f567f9c8e69b8a9df1efc10f2283d638e3c5c7920a63c082d8e18ce1f48cae8a5fbcb3981ef0c1a16e7a5db09fd74a6ff972d511cf50e82f3ef2b0

    Download Submit

  • memory/5032-33-0x00000000078B0000-0x00000000078C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-30-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-31-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-34-0x0000000007880000-0x0000000007890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-37-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-36-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-35-0x0000000007880000-0x0000000007890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-38-0x0000000007880000-0x0000000007890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-32-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-29-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

    Download