Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/10/2024, 01:02
General
-
Target
GAOMONTabletInstall_16.1.0.111.exe
-
Size
49.5MB
-
MD5
0d480144a0c8ebb96304e2c95dad03bc
-
SHA1
cc55fb3b096266cf067a37b122757093f9aed5cd
-
SHA256
f69f9449e05536500c3b61499a24681193e567a7f5b8fd04359f185d0dbe1f37
-
SHA512
a6b10f118e5de032c5cedba7c92defed33c59fb25902af9065044b7007e6c1849441c7e5fe45b8b72362642aa903481a63d2444b9ff434a4ed4663596ef44c1b
-
SSDEEP
1572864:Rn8V5vEOT3wn2PibPd5QabnN1wb8qefY89nSv:CPEMjevHzjlSv
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 30 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 22 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 21 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GAOMONTabletInstall_16.1.0.111.exe"C:\Users\Admin\AppData\Local\Temp\GAOMONTabletInstall_16.1.0.111.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WintabTerminator.exe"C:\Users\Admin\AppData\Local\Temp\WintabTerminator.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\GAOMONTablet\driver\sha1\HID\amd64\devcon.exe"C:\Users\Admin\AppData\Roaming\GAOMONTablet\driver\sha1\HID\amd64\devcon.exe" INSTALL vmulti.inf gaomon\tablethid2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\GAOMONTablet\GAOMONTablet.exe"C:\Users\Admin\AppData\Roaming\GAOMONTablet\GAOMONTablet.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletServer.exe"C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletServer.exe" Json={ \@AdUrl\@ : \@https://www.gaomon.net/plus/driver_banner.php\@, \@BrandName\@ : \@GAOMON\@, \@CfgWndMark\@ : \@GAOMONWndMark\@, \@DataPath\@ : \@C:\\Users\\Admin\\AppData\\Roaming\\GAOMON\\data\@, \@ServerUrl\@ : \@https://www.gaomon.net\@, \@WndProp\@ : \@GAOMONServer\@, \@WndPropValue\@ : 19810815 } JsonEnd3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletDriver.exeJson={ \@BrandName\@ : \@GAOMON\@, \@CfgWnd\@ : 589852, \@CustomerCode\@ : [ \@GM001\@, \@OEM02\@ ], \@DataPath\@ : \@C:\\Users\\Admin\\AppData\\Roaming\\GAOMON\\data\@, \@LangName\@ : \@English\@, \@UIAppPath\@ : \@C:\\Users\\Admin\\AppData\\Roaming\\GAOMONTablet\\GAOMONTablet.exe\@, \@WndMarkValue\@ : 1981 } JsonEnd3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{31274fa8-2430-4ab7-4e3f-35541d0b0a5c}\vmulti.inf" "9" "6a6f1639b" "00000000000005B4" "WinSta0\Default" "00000000000004BC" "208" "c:\users\admin\appdata\roaming\gaomontablet\driver\sha1\hid\amd64"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem2.inf" "vmulti.inf:Vendor.NTAMD64.6.1:vmulti.Inst.Win7:7.1.7610.16485:gaomon\tablethid" "6a6f1639b" "00000000000005B4" "00000000000005A8" "00000000000005E0"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "HID\tablethid&Col01\1&2d595ca7&0&0000" "" "" "61702cfa7" "0000000000000000" "00000000000005F8" "0000000000000618"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "HID\tablethid&Col02\1&2d595ca7&0&0001" "" "" "6d952b023" "0000000000000000" "000000000000061C" "00000000000005D0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "HID\tablethid&Col03\1&2d595ca7&0&0002" "" "" "69ba290a3" "0000000000000000" "0000000000000638" "0000000000000634"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "HID\tablethid&Col04\1&2d595ca7&0&0003" "" "" "65df2711f" "0000000000000000" "0000000000000650" "000000000000065C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{3c5d0d91-913f-40e3-a760-7662a6c0254a} "(null)"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD5ff5771a0cbc52d670cd12429180ef92d
SHA18ef0c2d8256c63bd4bfdc21e83ebd1ce5ca54c53
SHA256d9f70829539ba953b309787677b16a8064548f090d9667e1beb085446c6cf20f
SHA51237fa8950a444c8b27ca1213330b856ae731517b77bb6afa184ad2edaf234e946432d91b6ebab5df904dac58122b97d77111987157be21b0e1c883d8efc9dcb5a
-
Filesize
3.9MB
MD59ffb265983d1d98c492e5373b591beec
SHA196455eeefa01c822c1696bfddfb98530b09e77dd
SHA25679ea99118d1983a2efbbedab3dcdd28838942e88338d3c2143fffc3808ebf9a7
SHA51206942d44b1aacf3a2993b415ab1b72f2bf7f129cde3109e9295ca0d5b7b7cdd537697aae3afbdf45b4bba5f3908a9dc6641a25b6d677fa680a3c0a0138422d4c
-
Filesize
1.5MB
MD5f87a6686f977d0a68ffac3534a817681
SHA10ff0471aacd27b5a5f4bef975310ce7b8b222241
SHA2566fc17740be8436a93b8521b2ad4626e558e1d7ab6a55b481201ecf147efd4d84
SHA512309828f774d2b682eef875d779c7023531955f7e8876190a4fe52e31ea466c60589e8146b36dfb977142addc355b1d64d910ed514be062858a19722190154f3a
-
Filesize
90KB
MD59c166fb427f4e8f05ab6830777c84f30
SHA14ca087b386715058c6c826b20e74ec675ea282c6
SHA2560bf8db1459e5196890a742da143f10597f370bed798d12dcf6b53a8846bd101b
SHA512045bfa32a0bc3c53cbf9aea6d7a4b39f7056d352aec909c96faff93d5ff43f22e2dd3ff686ca500b324e32d1c04b90b806a01fdd883edf4b96bc5257d27b1688
-
Filesize
324B
MD55aa2e80942b5b9e0222744af2578e458
SHA1062bcff61a0921ef5f9dc7f92e6291252384132d
SHA256d2edc79669e9bed6b7a4d015219fbdd35a4ad0d5fb44e8d532a481c1348ad30d
SHA512eee17548a72fbf85b555208b54c8fc11a71e8fe07d450d4ba794bfd2acfc9ccd691f18e97b5e25e5853cc4e4cc89795b19ba324a18f15465c1d609b082a0d246
-
Filesize
8.7MB
MD50e20a467bfcc0a2ee927f4247b3cf447
SHA1c17cc6a88e928104bc17183108cbd83c1744a057
SHA256628b6ddc60c9b703086f51a7297790006a41bc3a419d08ba6873f38a7b32e243
SHA5129112d89fc52d81932a9dde613d3926289673bcb66fec7f3eed2419383736c87ed3777d8369e0939509763cdd30628aae8a65620b4d67b92d1dc7bff9218bcc73
-
Filesize
4KB
MD56687d8ad7249deb46dff506095fa550d
SHA117c1c28d86167114be6a3b18fe52a415cf57c67c
SHA2562ab84de4df5c62e808c90bf6a9441787c87619dd1a41951cabbd6b933a7e070e
SHA5123fff2317fe959f76dd6b45e2e52f46f8750185d1f6be63f06ca36b1b4b6d7c65758c84d1aeaa74aa5018d2a5ab89f2cfaaf6b7d27b2045d4b71cf66f34c9cfbc
-
Filesize
4.8MB
MD529eb82a065a7bfc50f5d18f630c016e3
SHA16059f09dae687fe6c419aa6878fe39b98e782cf8
SHA2566f1dea288f355a235ffe3bcd246dab51540896480a68a83cd2aafe9f640f04f8
SHA5126eb47be6cdaa6763ab9a1ea7e7f556ca670f492943fbc71c237b6e981d1a86f6d70d59d1f0d21590be66a696b4ca646bde3a31c8593178f10fd6dd87e3a0dfa7
-
Filesize
167KB
MD59d7f5669d6088374150a462c3a372a8b
SHA1679965a22a07160c1375003f6e821935caf5420a
SHA25689ce63938ac74ab1907a33db87eeb77b15afc84690655328380fb9e23abbcdc5
SHA51207bf8a08b37857c9b91ff79a7933de6eea43cdedb1d50469de056d14ed7ae878b864f5938a4f5a26af543552808b33229a0e48b87676feaf9a39561093cbd3db
-
Filesize
10KB
MD5ef10bf14b3ddf4b7bbfcd94a6c81fb92
SHA16485d53b089908076667894b43c89cf989313971
SHA256dc870b77b0af934ef4c68eef9aae34bd57d0a9f18c97244eafbcb1ed154f19fd
SHA51235af653ee9d8abaded2ad819be59273142d301b856506d62bcbab885f844a7bb3cb90de48e7720c4dee68dcf90e2bea45fb122870faafa31978c90098458e2aa
-
Filesize
1.4MB
MD5091b8fd39d2ebe5a0effe035fde70ae7
SHA1e2d78a77dcd0e98080737f90920c8ed56399a58c
SHA256586fcecd989a99954c1ed8b8970e7be91aab39afdc0d9af04bf6ad9e8a9880f4
SHA512e227bb67d05971b2fe17d868446ca7bd403f69053b413b47f22ba4db6929617f00b68940e78eef628843aef2436a4d823d6026878b7c2c568767ec21e8743827
-
Filesize
1.4MB
MD5ca00578ac7b0be576f3802b04061100d
SHA1abcad6ced72669c19974acd4b60ad3bc1c2a8df3
SHA256fed1fe8a7274fe6231a6cd0bf0112ad626ec7eced35a9469c4c4bf499215686c
SHA512b96a13bdde2c432a0e1a7d4d705f40afa3e5c9df8dce3111d69b8e01542a6dc53763a25bd34aaff6deff96bfdef4492da1ed50dea1ca5f1b4d2715356d01b395
-
Filesize
16KB
MD52086903f3ade4233450aa5f5bfb897c5
SHA13bb8090b76c56ef47a30342097da5346bab6dab4
SHA2566a5bd2b11d465dadc8fa9cc4f5984789f803cf2d0adb70677e283c69edfbe327
SHA512d482ec52db81b1a34f8ba7cc1c7664b1412e52875ca75fd1b46ca4952910f99471d1771c3612b46b4ee1ec6e9dcd317596d22c46a213b88412639631ff61fc1d
-
Filesize
19KB
MD5347e25bbf78b2e9cc4f4205941591009
SHA1b2630d41fc3c02c6d8472ed3cedbb7af704892a7
SHA25634a92b9b03d43f0245ac3c91f35abb9bebfa6ec494adc26643dfdb72a01c7c64
SHA512b250511eee830752900f014ef9500f17de3a82949d3a12f028307e9c9db98d55fff418b4ff4beee8e9d65835ee99c1762af17f40f0cabd44f33a8769314e9181
-
Filesize
9KB
MD551a02e393870b7d06d0439b99af611ee
SHA1badf559071fa394f4b0d07aa0d15fc583f3b64e0
SHA25617cbf003bc69904c131a3de3c011985e01905a997de0fba56f635af356256eea
SHA512cc7eb18029860aa9b3b278edc935b313e100377b8deb1120bfef5e873fc44af46bc9409362ed7bbd5f847de992ff181b3497d2d61fd5c2fedc6ee77bc9ec039b
-
Filesize
4.1MB
MD563329e3af07706d5cd4be138e676d035
SHA13ed6248f15c06d36f154fcae69f855ed570468d7
SHA256663417749929c5355f80cd3afaebf043be409b53333ab56d250ec7797b214dd4
SHA512a8b477dde5494d47b5a2f2b3c8d900ed6ce65fa6e03750b0b527aa9713e4b07abf55ad1503b539a4f7fcce315d018e4ef9b8d79fb5ca33e920f36b9c42dd8fe5
-
Filesize
802KB
MD52b8eb7477f677e4fd775e284801895e2
SHA1da610e9054d2d84aa64e2788e2625d2430fc3b58
SHA256308a584b07a6f258f1efae1a52e3d66d7dd61602b69fa76414698c22762265a4
SHA512d908080dcefd40111c8468c0ce425556172c09b7e56759cf87521fda482378da7fde0dfc821297098ebaefec3c5fa10b2aaecade6cea4f1f166b0fb5298a421e
-
Filesize
3.9MB
MD52a142f60eb3477686ba4b91d13ae7915
SHA143f08886094619529f20189ae9e6447330b84ed8
SHA25683b3358a0b97c86e6f445b76979b29997fd46e59484deae94016054c90501fd2
SHA512d4ee2cf724b9d5e3ff9ffd074852e0e73d7772ede01b826f42e6feee79a9d555071051e19176781518272644f23555e20b0997e7c55c4a9f875e19dd2377e77e
-
Filesize
2.8MB
MD51e9749fcae6c06e934ee25ef3d591c76
SHA1972527b65790aac678942521338ed16d733e79bb
SHA2560b70615905a9e06220cf3c2ec7d332c525ad35ad2fe5de5c9df748cb201889fd
SHA51215bbc31badae3da2e99ace29f5777ac7168c114eab6e6ab82e0cbf4d01f32a0102374106959711a76d3333a49de5d1c5da18ca5ceeca0a885b90bc4f273f964b
-
Filesize
84KB
MD5133ff13ab810d0c34f521ef8f4d9f64a
SHA1d7155e9290b857e50b02e8549fe0215082ac9d2d
SHA2567db889803f5f678e1c9c7155c3e35f0c812cc88e3e436b67ad516b84548fb303
SHA512f2fec06e9a9da2c4523ca84ec0d455e74b632f3f22c10cadf0f6c57de534974bed2d03606b05341d13c8340f69e834bb1ed89a39770119228762b5c220c38459
-
Filesize
12KB
MD57270ae3f5f477f93475d32f18ff79224
SHA16a15525f53e17b467ab2ee60205750abf708df2e
SHA256ccdf71471fb23a438238b29b42a3f1bd5526bc787bfa45a6919e4ac65109d516
SHA5124acb021678229f17ee11df96ead4b9dd034ed26649150ea2d279953e5b665b728bbe2eb8d18716c3f9a19d1ac59b4d688788128a699a0324bfa52c11749d8e4d
-
Filesize
104KB
MD5a2a7eb81a7fac15406eb35e150f3be44
SHA198dae7304358d4162cb553184e0900b5df1f7772
SHA2564dbdbe1c41178a2cf19287c193623a82f42e9c2423247ec06cd92b867302da95
SHA5129d76af983934ba29412482ab443230ef9eb50c20e568d8503a1d588bb647c8b35372d99d3764c67191a1195c96573fb093969bccebe3c0f9937af95e8fa2ac55
-
Filesize
140KB
MD5703c516f8848acd479954c83e9508114
SHA17912ca17ef5fbe8e4b27f69cf9d7e4732bee4736
SHA25698a7c6d0a7127e4ce2f8764e052cadba3f4dcb4e02ca1e5b35b26f457c986588
SHA512718219fc402e3c3d02cdb97c34baf372a89e6ddf00a0676fd18c259d5a6328ad7499eabd97e2f3983fb298df2eb131199c3eec47f5902566cf696ede13fc72df