Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 09:32

Errors

Reason
Machine shutdown

General

  • Target

    153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe

  • Size

    1.1MB

  • MD5

    fb684a3f9bbd6b74e432a7ce5fba272b

  • SHA1

    401906ba1767b901c4dfbeca1b786aceece5372a

  • SHA256

    153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87

  • SHA512

    2ba198fb88822d02b9586b847df42f82a58894c3a058bfc0de1b603da52470ec95cd8d37a34e8634bc225d0913891fec9bc498c49a314639768f10044b9192a2

  • SSDEEP

    24576:5j8B3KleK6hPJ06jLEVPeTUlDKqVoNkU2uGp7mDYqwQeQFAtVqK0rU:Nw3KLAPJrjQeADK6oNGuqCvkQitEY

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: Clear Persistence 1 TTPs 9 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 22 IoCs
  • Modifies registry class 7 IoCs
  • NTFS ADS 1 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
    "C:\Users\Admin\AppData\Local\Temp\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies security service
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3208
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c (echo interface set interface "WLAN" enabled && echo interface set interface "±¾µØÍøÂç" enabled && echo interface set interface "±¾µØÍøÂç 2" enabled && echo interface set interface "ÒÔÌ«Íø" enabled ) | netsh
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" ( echo interface set interface "WLAN" enabled && echo interface set interface "±¾µØÍøÂç" enabled && echo interface set interface "±¾µØÍøÂç 2" enabled && echo interface set interface "ÒÔÌ«Íø" enabled )"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2056
      • C:\Windows\SysWOW64\netsh.exe
        netsh
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\baidu.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Users\Admin\AppData\Local\Temp\baidu.reg
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Runs .reg file with regedit
        PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c rd /s /q "%programfiles%\SysCeo";"%programfiles(x86)%\SysCeo"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /s /q /f "%systemroot%\Help\dcold.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /s /q /f "%userprofile%\Desktop\Çý¶¯×ܲÃ.lnk";"%homedrive%\Users\Public\Desktop\Çý¶¯×ܲÃ.lnk"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /s /q /f "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Çý¶¯ÏÂÔØ.lnk"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c rd /s /q "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Çý¶¯×ܲÃ"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c rd /s /q "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Çý¶¯×ܲÃ2.0"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3252
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\DDF.sys
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\Windows10_YH.REG
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Users\Admin\AppData\Local\Temp\Windows10_YH.REG
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Runs .reg file with regedit
        PID:412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Windows\Temp\officeclicktorun.exe_streamserver(20240802134952A2C).log
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5048
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Windows\Temp\ZEUYFSYD-20240802-1349.log
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\twqNQzJK\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\twqNQzJK\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\twqNQzJK\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4988
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "Upgrade 2345Explorer Task" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:736
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "Upgrade 2345Explorer Task" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "Execute 2345Pinyin MiniPage Task" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:208
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "Execute 2345Pinyin MiniPage Task" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "Pinyin_2345Upgrade Task" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:2700
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "Pinyin_2345Upgrade Task" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1388
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "KuGou Service Task Scheduler" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:3056
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "KuGou Service Task Scheduler" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2356
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "WpsUpdateTask_Administrator" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:1636
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "WpsUpdateTask_Administrator" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2292
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "Pic_2345Upgrade Task" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:4100
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "Pic_2345Upgrade Task" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "360ZipUpdater" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:2092
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "360ZipUpdater" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4360
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "QQBrowser Updater Task" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:3944
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "QQBrowser Updater Task" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5008
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /tn "QQBrowser Updater Task(Core)" /f
      2⤵
      • Indicator Removal: Clear Persistence
      • System Location Discovery: System Language Discovery
      PID:2096
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "QQBrowser Updater Task(Core)" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3728
    • C:\Windows\SysWOW64\ctfmon.exe
      C:\Windows\SysWOW64\ctfmon.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2360
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa396b055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AutoSoft\Progress.gif

    Filesize

    74KB

    MD5

    39216a24e615a402304bfa1a77c6dffd

    SHA1

    71394af3279365d748d406671a825c8cced2eb60

    SHA256

    acd117ae727666402e8fdfb29aec89abbd8341435bbea0f860d4210d52c50ef1

    SHA512

    b8a71ded49ddfa2eaf1cf5d8d61125092f6ad94f09eaa89091fa81cd966018f31b8b399feaea401caf2e93998d8f8376038637171e34dafcaae07a64f8da1c7f

  • C:\Users\Admin\AppData\Local\Temp\AutoSoft\succes.jpg

    Filesize

    5KB

    MD5

    642733a7bd04b267df22f128f54c6ed3

    SHA1

    2dc5d38b0155092c5883cee66884eb10adc4a5f3

    SHA256

    fa8dc47742ee0190c8c7f2cc35f92793b3f142e5994f58d08610b51e2184c611

    SHA512

    32efccc39b7f822ae30e7dcc47ce6b5391002caa503328a46aecf32dc8fd050acb18414d4aa76198ef40531315f3b56fa10b8e6b7176f26ef4b3e1ba55a64c30

  • C:\Users\Admin\AppData\Local\Temp\Windows10_YH.REG

    Filesize

    1KB

    MD5

    1130b796c24a344261b55cf5ab93bda2

    SHA1

    d4f88039a9c4efb8631ad5e919aa8ff4ee3f00fd

    SHA256

    d80c58afddec1995ae8f2635984aef568b6de1ee98ef74d7371c9687a82d3747

    SHA512

    786ad731d3b332e4baba427e1adc001e6d1dd504659f3577c391ece1a092ee40f073f8885dd28a9d87fc73c77a7810e99c2d6dc5609c48ce64643b60b11153d5

  • C:\Users\Admin\AppData\Local\Temp\aut176B.tmp

    Filesize

    19KB

    MD5

    f40d147c8a0028b0b6eb9ef26dd56a5e

    SHA1

    a51a802b98bccb11e62d8dfd3ba8894342de1abf

    SHA256

    760f22e3a1fa0b52a91a8a2b1a3b1c3c88a6cf3f52ac27f21f5f8abdd01c9ffa

    SHA512

    b28149cdb19cb675499c65b214abb13d4a4d72369707617e360e3cafddfe7dd87aedd4aec7122b9ca4b92d1e448aa19d877053461e8c5355db4fb63c70073ab5

  • C:\Users\Admin\AppData\Local\Temp\baidu.reg

    Filesize

    752B

    MD5

    f4a0f95f1785a0f1b2f83d04abd37e4a

    SHA1

    794ef0460cc1f55cbde0bb74c74b991eee153cbb

    SHA256

    f18ada26b94f662da2e3a9b800a851d86e9450d25cdcc2e8ea84565c803b59fa

    SHA512

    e1f5e3f4b3fd1af418624047b530a4eedfa42011b3788fa7d7d305f3b1484caabcfedfbcb66972eec16e1e4786b6eb2ac0f8382562a70aa12dd3d4dc16250aa7

  • memory/3208-40-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-0-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-42-0x00000000044A0000-0x00000000048A0000-memory.dmp

    Filesize

    4.0MB

  • memory/3208-28-0x00000000044A0000-0x00000000048A0000-memory.dmp

    Filesize

    4.0MB

  • memory/3208-58-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-59-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-61-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-64-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-68-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB

  • memory/3208-88-0x0000000000F10000-0x0000000001166000-memory.dmp

    Filesize

    2.3MB