Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 01:56

General

  • Target

    ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4.exe

  • Size

    1.9MB

  • MD5

    0feb901e23751d111fc025ab2be3c2f5

  • SHA1

    38f8d59ab5dfb96e4070bd9ec269d2904c6a3a76

  • SHA256

    ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4

  • SHA512

    34fc5fdf243d0fff3287110bc8d109db83ccb88e7189e87ee8d27784826cf5267b22b45fec035f25677e75b41d7993a6e5b2884cff0e0abf8073150c20e081ec

  • SSDEEP

    24576:2TbBv5rUyXVPr3aJEs7H+rhar+lA7ukc7t6vysCpz4FcJFrkQwuQjkmJQep9si:IBJPcziJG7WBnpz4FcJFAQ7Qjkmpt

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4.exe
    "C:\Users\Admin\AppData\Local\Temp\ad74981909d69f775885e19a1040435e3b8afe73b4a1e5d35861d502bfed8da4.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Comreview\Qw0tHfZvOOTSlGqzwIZkbCqou.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Comreview\xzc6xIPiK2QcF9omfs2cgzMNBzTbcN2A.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Comreview\comagentIntoHost.exe
          "C:\Comreview/comagentIntoHost.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Comreview\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\upfc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Comreview\comagentIntoHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4704
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qz4TJeY3zs.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2128
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4572
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1216
              • C:\Comreview\comagentIntoHost.exe
                "C:\Comreview\comagentIntoHost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Comreview\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Comreview\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Comreview\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "comagentIntoHostc" /sc MINUTE /mo 10 /tr "'C:\Comreview\comagentIntoHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "comagentIntoHost" /sc ONLOGON /tr "'C:\Comreview\comagentIntoHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "comagentIntoHostc" /sc MINUTE /mo 8 /tr "'C:\Comreview\comagentIntoHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Comreview\Qw0tHfZvOOTSlGqzwIZkbCqou.vbe

      Filesize

      219B

      MD5

      ac093ca116acc51ba40b2b3081f2e2d1

      SHA1

      475fe450bb2488cea9ac65ad2473590f80f2a74a

      SHA256

      75f4cac8fd0f9f5f0e9123f2b487677829869f8ea3fb85b7fbf7c200ecbfa09b

      SHA512

      fd6c6d57a32a6a3f548478f2e75ebc29d90f3a14c6334ad9a7220b575f3bb2463453291d85bd27cce2327ea497908073d223286eec2dccc17e462de85c34218b

    • C:\Comreview\comagentIntoHost.exe

      Filesize

      1.6MB

      MD5

      0546ed90d4fbdd0ff7b740416c43fa6c

      SHA1

      458e078a8a89719ba4878940ee02cc910db6aaed

      SHA256

      abf5bf66710499fd2dcd8a2988fb3d1732884f94b258b1194bf408d27ba64478

      SHA512

      868f4a81f0a3a0440b17bcf88014232b0346bb154d3104eb71313b93d411b60f6539e0f64df2c05d2e499551f6afc7109fea9c0aaec15414a35a29c6f99cf829

    • C:\Comreview\xzc6xIPiK2QcF9omfs2cgzMNBzTbcN2A.bat

      Filesize

      75B

      MD5

      0fa861c32e296c754cde4279c23f50f3

      SHA1

      24e6bbb293e6c5a0c76380822c16f8dc842aea14

      SHA256

      203b4c404243dae8afa1770d93ba78de73ed932b6843607e2981eecc77cb1839

      SHA512

      a9a3893262648bbbead1137fa05d884dabd8adca6406db5c12d24e741cac8eecfa2e356f5ea7194b7281a39bd5c17e4204aa57d97dd62df89d0d8750745b1569

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\comagentIntoHost.exe.log

      Filesize

      1KB

      MD5

      4ef3ab577fdbd5c7dd815e496ecd5601

      SHA1

      8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

      SHA256

      72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

      SHA512

      ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      62623d22bd9e037191765d5083ce16a3

      SHA1

      4a07da6872672f715a4780513d95ed8ddeefd259

      SHA256

      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

      SHA512

      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1p0dpg2.vth.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\qz4TJeY3zs.bat

      Filesize

      161B

      MD5

      00538399591b3945aab7e7fb298027af

      SHA1

      3e345eb72d6600ea195513d8d3faaa0a535edbf2

      SHA256

      44708f6b5226a15caaba231db2b42f550ddbfc77730732ebcd8ec97cecb87806

      SHA512

      f8181566d3b120fa43c6f3fb6cdfca85f8d3ef138a4e414ecf94c7bc61bc1f62649ff5c13f03fcc98ead964467e3e0a2c8cf5bbdd82411e8213ec67419987e07

    • memory/2324-13-0x0000000000100000-0x00000000002AA000-memory.dmp

      Filesize

      1.7MB

    • memory/2324-80-0x0000000002430000-0x000000000249B000-memory.dmp

      Filesize

      428KB

    • memory/2324-17-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

      Filesize

      48KB

    • memory/2324-15-0x0000000000B90000-0x0000000000B9E000-memory.dmp

      Filesize

      56KB

    • memory/2324-12-0x00007FFBED503000-0x00007FFBED505000-memory.dmp

      Filesize

      8KB

    • memory/2544-108-0x00000000029C0000-0x0000000002A2B000-memory.dmp

      Filesize

      428KB

    • memory/2680-42-0x0000024D75A60000-0x0000024D75A82000-memory.dmp

      Filesize

      136KB