Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 10:48

General

  • Target

    cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe

  • Size

    3.1MB

  • MD5

    c3e7b349ab01f3c8d361aef18d7d99b0

  • SHA1

    75d774e51fd6bd19bb5abb9c96ba54fbb88964c4

  • SHA256

    cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512

  • SHA512

    74d3c6b34d1edcd46ad98340c67313d03f9e351479df598fc7628ff9607e09af6c801d7387fd5f513c0dc12721a834991fcd6aeb7f0751764cc6dc9e2fd61a21

  • SSDEEP

    12288:DCgvmzFHi0mo5aH0qMzd58g7FWPJQPDHvd:DCgvOHi0mGaH0qSdzFI4V

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 25 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe
    "C:\Users\Admin\AppData\Local\Temp\cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4764
    • C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe
      "C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3696
    • C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe
      "C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:4756
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      450787c53cf46966257d226c42ea3f55

      SHA1

      2b2ab03b9764da6764acc2c38341d863577404d9

      SHA256

      c77ae7f7af1e6b2ace77ff03dea76e66d2dcab14e609694e55d7af5e93b348f4

      SHA512

      7d71f0a17712e2cf625913d5b5d497a9b3b1532e4df04a998ef170dd4968331a31f8423a9eabfb6e157235c60c69c0adcb6bed95f2bd42499237a50d456ff2ac

    • C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      52f9d72ab2440758db081d5d7eb82c17

      SHA1

      5a557dcb09fe587b6ec4bd8b36e656d6ae0094a3

      SHA256

      c0ddac4b64f9da3378c452544ad57f4c6b17484d8b850d6c3bf6cab0eccde629

      SHA512

      6a71ac914b69215c889182fd155fea1793bef2a2c9781600ae570e9d6c8fd372c017bba84fe76a44f2becb1a80b36fc92210bbdb2faa56e4acb98f91991d9017

    • C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      3cb8f25f4da9da372423f9128067b922

      SHA1

      fdf30780dfa61233b87981b373ba0c73735d8a49

      SHA256

      0baf4652b2fb353a711321dbaa9e8144ca1de25c895dd0d5bbbfbb4fe64351f2

      SHA512

      6e5490a8e4b6c9d1040953484b800a3d5a9b2da1ead6e696f97e694cb9c0b5899ca1417740c576b205f1772d0655feb83cfa59cbe402d976883b91f46994bcfe

    • C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      bd3ab7e8a4e3a02cb7f2e12263e68d02

      SHA1

      a3499c2d56aeecc2d739ce2cbe11cdaa9bc7d081

      SHA256

      99232601ef361804cbd5654dfbebe9ec4000176d1f6514b98bd9e182d00752e4

      SHA512

      dfc5673333bfe75f27d6111f32b4eb0ce9a050c91e1450c1339abe591d736ef136101bb2fb6fecc10c25ef059f0d95871b1e5d71914f1926a3a0294ace0b58f4

    • C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      3312132d871b6cf3169b2adc23078379

      SHA1

      f2fb8766e6ff83f1fa28bc0b663ba7bd18c39548

      SHA256

      b6ef2e0f3cd5a18da2e20385e8e074ec0354355470cf31761241bb966e634b3c

      SHA512

      37ec505a28ed2efa160fcfb1bf6b96707ce015dfa12d7b7980ef8109ba4d002da619fe7d73237e5bc166de41511cd779900d1acfe11474db234a846e8021fe1f

    • C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      783e2ce3a3496e2c31b7662bf5aadec4

      SHA1

      573acd7bd29e7d2b4937fcbcabbafb236c656b36

      SHA256

      52209f64b606e851e08c0169b7c91a46975165d4f7af789b60da0fffc45f58b5

      SHA512

      558424d71d6137a264bcfff42986bc74b2ba104091c4a554877a5e325a610ad4926a2de7c8669020c41b15d819b8e91ee8c0c1450a710c7a4d12672fbd26efea

    • C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe

      Filesize

      4.3MB

      MD5

      432ee835a825ef19ed8b9a869acc5340

      SHA1

      22549c4211842524e5ba61ab38e657ba78d1d048

      SHA256

      6f41a55aea6439053091597f04f3c4ff4b2cf20df7a079f6ecfbd73d7a7c1400

      SHA512

      5db076051034fe0a9d70b11b74294759e17b43292e9e58e265666aa5e95effbd735d84cb6069a5f7dc2890ef61c1c3b6d3ab0024f35016245ad88905e41eceeb

    • C:\Users\Admin\AppData\Local\jknlksosrtgdkshrivtuxvuc.cbd

      Filesize

      280B

      MD5

      ef5bece1c90a5ee8e708239275f42964

      SHA1

      454ef671ab0692ad411189ecf5e46d6d9778e74b

      SHA256

      5109fe67be4ada499932c7a9ae3373510b555f3baba0ea13ab68b2306ff0aa04

      SHA512

      a6c36c1eb008c9b61f8404887303e261fe0ee4807e016c4a4df1797f8ae3dbae15b41398a57a20837b306ee53d4bfe6f5f8f7f66defe377ac9e2315305f9b69f

    • C:\Users\Admin\AppData\Local\sesblelakxvdvoojljsesblelakxvdvoojl.ses

      Filesize

      4KB

      MD5

      fac71649c3ac0652e63c6d932c0a1ef4

      SHA1

      4ce033670bfc61b052519be2345cbe6dafa330f9

      SHA256

      cbe781b22d27ee0a28b5fe25b394dd46cbc9ec2debd7908dbca0920983aa0bcd

      SHA512

      f51f38591850ab735a6a99d1fbbf67988ae342b9883c6a9324bb605a058a7ad2b3e52808cb4a6babcabe9a8eaa230d3f828e05d7869c7e3335825908eaedda64