Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

GAOMONTabl...11.exe

windows7-x64

8

GAOMONTabl...11.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    30s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GAOMONTabletInstall_16.1.0.111.exe

  • Size

    49.5MB

  • MD5

    0d480144a0c8ebb96304e2c95dad03bc

  • SHA1

    cc55fb3b096266cf067a37b122757093f9aed5cd

  • SHA256

    f69f9449e05536500c3b61499a24681193e567a7f5b8fd04359f185d0dbe1f37

  • SHA512

    a6b10f118e5de032c5cedba7c92defed33c59fb25902af9065044b7007e6c1849441c7e5fe45b8b72362642aa903481a63d2444b9ff434a4ed4663596ef44c1b

  • SSDEEP

    1572864:Rn8V5vEOT3wn2PibPd5QabnN1wb8qefY89nSv:CPEMjevHzjlSv

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 27 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 62 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 6 IoCs
    evasion
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GAOMONTabletInstall_16.1.0.111.exe
    "C:\Users\Admin\AppData\Local\Temp\GAOMONTabletInstall_16.1.0.111.exe"
    1⤵
    • Adds Run key to start application
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\WintabTerminator.exe
      "C:\Users\Admin\AppData\Local\Temp\WintabTerminator.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1928
    • C:\Users\Admin\AppData\Roaming\GAOMONTablet\driver\sha256\HID\amd64\devcon.exe
      "C:\Users\Admin\AppData\Roaming\GAOMONTablet\driver\sha256\HID\amd64\devcon.exe" INSTALL vmulti.inf gaomon\tablethid
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
    • C:\Users\Admin\AppData\Roaming\GAOMONTablet\GAOMONTablet.exe
      "C:\Users\Admin\AppData\Roaming\GAOMONTablet\GAOMONTablet.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletServer.exe
        "C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletServer.exe" Json={ \@AdUrl\@ : \@https://www.gaomon.net/plus/driver_banner.php\@, \@BrandName\@ : \@GAOMON\@, \@CfgWndMark\@ : \@GAOMONWndMark\@, \@DataPath\@ : \@C:\\Users\\Admin\\AppData\\Roaming\\GAOMON\\data\@, \@ServerUrl\@ : \@https://www.gaomon.net\@, \@WndProp\@ : \@GAOMONServer\@, \@WndPropValue\@ : 19810815 } JsonEnd
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2812
      • C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletDriver.exe
        Json={ \@BrandName\@ : \@GAOMON\@, \@CfgWnd\@ : 459400, \@CustomerCode\@ : [ \@GM001\@, \@OEM02\@ ], \@DataPath\@ : \@C:\\Users\\Admin\\AppData\\Roaming\\GAOMON\\data\@, \@LangName\@ : \@English\@, \@UIAppPath\@ : \@C:\\Users\\Admin\\AppData\\Roaming\\GAOMONTablet\\GAOMONTablet.exe\@, \@WndMarkValue\@ : 1981 } JsonEnd
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3520
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b5843082-bdb4-d043-aaef-5c8663fe99ac}\vmulti.inf" "9" "4a6f1639b" "000000000000013C" "WinSta0\Default" "0000000000000148" "208" "c:\users\admin\appdata\roaming\gaomontablet\driver\sha256\hid\amd64"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3880
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:b2fe4818b67bbc5d:vmulti.Inst.Win7:7.1.7610.16485:gaomon\tablethid," "4a6f1639b" "000000000000013C"
      2⤵
      • Drops file in Drivers directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WintabTerminator.exe
    Filesize

    4.1MB

    MD5

    63329e3af07706d5cd4be138e676d035

    SHA1

    3ed6248f15c06d36f154fcae69f855ed570468d7

    SHA256

    663417749929c5355f80cd3afaebf043be409b53333ab56d250ec7797b214dd4

    SHA512

    a8b477dde5494d47b5a2f2b3c8d900ed6ce65fa6e03750b0b527aa9713e4b07abf55ad1503b539a4f7fcce315d018e4ef9b8d79fb5ca33e920f36b9c42dd8fe5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\DuiLib.dll
    Filesize

    802KB

    MD5

    2b8eb7477f677e4fd775e284801895e2

    SHA1

    da610e9054d2d84aa64e2788e2625d2430fc3b58

    SHA256

    308a584b07a6f258f1efae1a52e3d66d7dd61602b69fa76414698c22762265a4

    SHA512

    d908080dcefd40111c8468c0ce425556172c09b7e56759cf87521fda482378da7fde0dfc821297098ebaefec3c5fa10b2aaecade6cea4f1f166b0fb5298a421e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\GAOMONTablet.exe
    Filesize

    3.9MB

    MD5

    2a142f60eb3477686ba4b91d13ae7915

    SHA1

    43f08886094619529f20189ae9e6447330b84ed8

    SHA256

    83b3358a0b97c86e6f445b76979b29997fd46e59484deae94016054c90501fd2

    SHA512

    d4ee2cf724b9d5e3ff9ffd074852e0e73d7772ede01b826f42e6feee79a9d555071051e19176781518272644f23555e20b0997e7c55c4a9f875e19dd2377e77e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletDriver.exe
    Filesize

    3.9MB

    MD5

    9ffb265983d1d98c492e5373b591beec

    SHA1

    96455eeefa01c822c1696bfddfb98530b09e77dd

    SHA256

    79ea99118d1983a2efbbedab3dcdd28838942e88338d3c2143fffc3808ebf9a7

    SHA512

    06942d44b1aacf3a2993b415ab1b72f2bf7f129cde3109e9295ca0d5b7b7cdd537697aae3afbdf45b4bba5f3908a9dc6641a25b6d677fa680a3c0a0138422d4c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\TabletServer.exe
    Filesize

    1.5MB

    MD5

    f87a6686f977d0a68ffac3534a817681

    SHA1

    0ff0471aacd27b5a5f4bef975310ce7b8b222241

    SHA256

    6fc17740be8436a93b8521b2ad4626e558e1d7ab6a55b481201ecf147efd4d84

    SHA512

    309828f774d2b682eef875d779c7023531955f7e8876190a4fe52e31ea466c60589e8146b36dfb977142addc355b1d64d910ed514be062858a19722190154f3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\UpDownManager.dll
    Filesize

    84KB

    MD5

    133ff13ab810d0c34f521ef8f4d9f64a

    SHA1

    d7155e9290b857e50b02e8549fe0215082ac9d2d

    SHA256

    7db889803f5f678e1c9c7155c3e35f0c812cc88e3e436b67ad516b84548fb303

    SHA512

    f2fec06e9a9da2c4523ca84ec0d455e74b632f3f22c10cadf0f6c57de534974bed2d03606b05341d13c8340f69e834bb1ed89a39770119228762b5c220c38459

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\WintabMapMode.ini
    Filesize

    324B

    MD5

    5aa2e80942b5b9e0222744af2578e458

    SHA1

    062bcff61a0921ef5f9dc7f92e6291252384132d

    SHA256

    d2edc79669e9bed6b7a4d015219fbdd35a4ad0d5fb44e8d532a481c1348ad30d

    SHA512

    eee17548a72fbf85b555208b54c8fc11a71e8fe07d450d4ba794bfd2acfc9ccd691f18e97b5e25e5853cc4e4cc89795b19ba324a18f15465c1d609b082a0d246

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\data.rs
    Filesize

    8.7MB

    MD5

    0e20a467bfcc0a2ee927f4247b3cf447

    SHA1

    c17cc6a88e928104bc17183108cbd83c1744a057

    SHA256

    628b6ddc60c9b703086f51a7297790006a41bc3a419d08ba6873f38a7b32e243

    SHA512

    9112d89fc52d81932a9dde613d3926289673bcb66fec7f3eed2419383736c87ed3777d8369e0939509763cdd30628aae8a65620b4d67b92d1dc7bff9218bcc73

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\driver\sha256\HID\amd64\devcon.exe
    Filesize

    97KB

    MD5

    9c8dbdc0f3c9186b7b266ba7bbf28432

    SHA1

    0ea2cadf74cefe5d4a2edefe0d7bd1177afa61ab

    SHA256

    59c86b825dd2c76614dfd0c6dec27da8c7c782918efddbc5380b6a27bb314270

    SHA512

    df4c128eb1c3711b17f7ba2ba33afa3c547c3c4f5f6f2e050fbd0a58fcd99e89820530b891cf215576cdaf68a3419fbf33f1505a9b44d88569a45d478b580316

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\driver\sha256\HID\amd64\vmulti.inf
    Filesize

    4KB

    MD5

    6687d8ad7249deb46dff506095fa550d

    SHA1

    17c1c28d86167114be6a3b18fe52a415cf57c67c

    SHA256

    2ab84de4df5c62e808c90bf6a9441787c87619dd1a41951cabbd6b933a7e070e

    SHA512

    3fff2317fe959f76dd6b45e2e52f46f8750185d1f6be63f06ca36b1b4b6d7c65758c84d1aeaa74aa5018d2a5ab89f2cfaaf6b7d27b2045d4b71cf66f34c9cfbc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\mfc140u.dll
    Filesize

    4.8MB

    MD5

    29eb82a065a7bfc50f5d18f630c016e3

    SHA1

    6059f09dae687fe6c419aa6878fe39b98e782cf8

    SHA256

    6f1dea288f355a235ffe3bcd246dab51540896480a68a83cd2aafe9f640f04f8

    SHA512

    6eb47be6cdaa6763ab9a1ea7e7f556ca670f492943fbc71c237b6e981d1a86f6d70d59d1f0d21590be66a696b4ca646bde3a31c8593178f10fd6dd87e3a0dfa7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\msvcp140.dll
    Filesize

    449KB

    MD5

    ff5771a0cbc52d670cd12429180ef92d

    SHA1

    8ef0c2d8256c63bd4bfdc21e83ebd1ce5ca54c53

    SHA256

    d9f70829539ba953b309787677b16a8064548f090d9667e1beb085446c6cf20f

    SHA512

    37fa8950a444c8b27ca1213330b856ae731517b77bb6afa184ad2edaf234e946432d91b6ebab5df904dac58122b97d77111987157be21b0e1c883d8efc9dcb5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\vcruntime140.dll
    Filesize

    90KB

    MD5

    9c166fb427f4e8f05ab6830777c84f30

    SHA1

    4ca087b386715058c6c826b20e74ec675ea282c6

    SHA256

    0bf8db1459e5196890a742da143f10597f370bed798d12dcf6b53a8846bd101b

    SHA512

    045bfa32a0bc3c53cbf9aea6d7a4b39f7056d352aec909c96faff93d5ff43f22e2dd3ff686ca500b324e32d1c04b90b806a01fdd883edf4b96bc5257d27b1688

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMONTablet\x86\wintab32.dll
    Filesize

    140KB

    MD5

    703c516f8848acd479954c83e9508114

    SHA1

    7912ca17ef5fbe8e4b27f69cf9d7e4732bee4736

    SHA256

    98a7c6d0a7127e4ce2f8764e052cadba3f4dcb4e02ca1e5b35b26f457c986588

    SHA512

    718219fc402e3c3d02cdb97c34baf372a89e6ddf00a0676fd18c259d5a6328ad7499eabd97e2f3983fb298df2eb131199c3eec47f5902566cf696ede13fc72df

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GAOMON\data\EKeySetting.dt
    Filesize

    167KB

    MD5

    9d7f5669d6088374150a462c3a372a8b

    SHA1

    679965a22a07160c1375003f6e821935caf5420a

    SHA256

    89ce63938ac74ab1907a33db87eeb77b15afc84690655328380fb9e23abbcdc5

    SHA512

    07bf8a08b37857c9b91ff79a7933de6eea43cdedb1d50469de056d14ed7ae878b864f5938a4f5a26af543552808b33229a0e48b87676feaf9a39561093cbd3db

    Download Submit

  • \??\c:\users\admin\appdata\roaming\GAOMON~1\driver\sha256\hid\amd64\WDFCOI~1.DLL
    Filesize

    1.4MB

    MD5

    c156622715b3dbd16f1208179778ae56

    SHA1

    f4097f53553459894fc2520551aba988e5d8c073

    SHA256

    de4b377a87f2468963127dbacc68ab8898baf544365c7f46c8db6d54a191f5ce

    SHA512

    9910ea0ec05b6658b7dbe1d40684d4205d40b5c3938fe59a511e094ba638628c905482dedbb3c943c3ddf9531c8b214d3bb3c7ea09db45a8734d404dbdf6d9f4

    Download Submit

  • \??\c:\users\admin\appdata\roaming\GAOMON~1\driver\sha256\hid\amd64\hidkmdf.sys
    Filesize

    24KB

    MD5

    3bd381bb43d050a3eda2fb56241c7cb5

    SHA1

    12899026ba298e4ed2b4facbd7425a669e500487

    SHA256

    d061993ca2aaf2db4d710f9fa4e71baa1f5b05e24af00523356504342cd366e6

    SHA512

    87dbe632d0f33b28a36ab479c9e9ed77ffb61938c379f49181a00e0e898b8314b251b0984ae8323971f5862e0e41009a37e40fdad16f235f85828c54853fc94e

    Download Submit

  • \??\c:\users\admin\appdata\roaming\GAOMON~1\driver\sha256\hid\amd64\vmulti.sys
    Filesize

    27KB

    MD5

    ef2fe34217064cfcff25a8a0dccd5381

    SHA1

    7a41927e2fb0360493fa5e444760b2be24176ce1

    SHA256

    f803c731843549bb9c135c4ff08233c574770198271e33a1790382c949eebe86

    SHA512

    bb345b99b2a1f95d4fb58741c7cf4ac7b91bc56f14e38a3131336d586f616c9cd5da54e4312c0ce0fc6bf966e9673ea2ed885bbba8c204473887cd71c9c2c3bb

    Download Submit

  • \??\c:\users\admin\appdata\roaming\gaomontablet\driver\sha256\hid\amd64\GAOMONHID.cat
    Filesize

    10KB

    MD5

    491443088b56c96f4da34acd7b13c7df

    SHA1

    abe55a1629dc26c1a0f79868925cc6d7b1be0483

    SHA256

    21a0fa5eaff366872ddcf8468584c886e30ae9263a431147450fc5c56b32415b

    SHA512

    6208cf7b435e52dc057a71191d677fc15650fc9680e4b6ea5da25bf58dd3631d0e0e2c57bd560f8ecf8aeefe19e829bf002c2c0d93ab2495411b37e785bd47d1

    Download Submit