Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

999网址导航.htm

windows7-x64

3

999网址导航.htm

windows10-2004-x64

3

SkyDriveSetup.exe

windows7-x64

7

SkyDriveSetup.exe

windows10-2004-x64

7

�...��.htm

windows7-x64

3

�...��.htm

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SkyDriveSetup.exe

  • Size

    4.9MB

  • MD5

    6961f3aec7f861c65091b8fb35086561

  • SHA1

    e3b0fb8d929898ad342002afa28cc265194efe90

  • SHA256

    cc9d7f28a00c0782658cfa90cfa69baebbb056d1838011f30782d2e96e2979fb

  • SHA512

    e0fb908d916647e0297e272ec1428f6b70e4538bfdc2e8a99f45308e3d73165661a0bc3ef1425e6e8ad3da3e321bea9f5a4e10dc4434aeb4d0addf34027464bb

  • SSDEEP

    98304:2qfhtV37w74C0CJmzevREdhOXQTFB74unJSqqgw3LFkkEGr3ra:JfXVrw7RRE2gTgunJSYw3LiWra

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe" C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe /permachine /silent /childprocess /cusid:S-1-5-21-1045960512-3948844814-3059691613-1000
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4140" "1504" "1424" "1508" "0" "0" "0" "0" "0" "0" "0" "0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2164
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4140" "1456" "1512" "1448" "0" "0" "0" "0" "0" "0" "0" "0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1888
    • C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe
      C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe /peruser /childprocess
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2260" "1732" "1552" "1736" "0" "0" "0" "0" "0" "0" "0" "0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4812
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2260" "1864" "1968" "1744" "0" "0" "0" "0" "0" "0" "0" "0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4820
      • C:\Windows\SysWOW64\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2260" "1432" "1376" "1456" "0" "0" "0" "0" "0" "0" "0" "0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1824
    • C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3364" "2060" "1628" "2064" "0" "0" "0" "0" "0" "0" "0" "0"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:3324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAE5.tmp.xml
    Filesize

    4KB

    MD5

    376f34e683c01fcb18e6a1c53a4aa729

    SHA1

    5699751c8ab84f87cad18f8a1b16d365bada8185

    SHA256

    a87fcf3981c0cb1b45c117a25165b57a952c07b2b4028a2d419a0201850ba419

    SHA512

    ffb0de7534b1df4a5bfdb47dd6932d1c75219a72001ff7a316394a91e359e4ef849d431fe7c606660b4e6bb476c87adee15357d9812f1b412069a3d63e78f56a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060323_d24-a44.log
    Filesize

    5KB

    MD5

    0cc60d8bd44228d857e867eea1b6a676

    SHA1

    ab912161ebe9fa34218f8921de92ac1be2a6609e

    SHA256

    2a9f0974472cfb7de77ef24ba0825494b312970f452e96708d4edbd5c9b3e53d

    SHA512

    23612e5e48d12abc8603e1100748e60860a2c46776e72954b7d678f39679f509a57fbd0a21438f6387681b2b5a6442b2b09117809db2a972e0914eb3d8ae0c64

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060323_d24-a44.log
    Filesize

    6KB

    MD5

    8d6f3dc7d6af3c0dcb22181806d1f37a

    SHA1

    6334135fb7982c51a53bc914f9e8adfc27a92492

    SHA256

    34337191e9276101d5fd019fd290aa9ab4292d79197dc3f94d2eff96fbca2cfe

    SHA512

    5b01481f5590bec71ee6d27722a1917709a51d6e4cb2bdce346dd33d396e533e6b5f15fb75e9e5a3f7bb765976a8ab1d49b9d87ad33407a8ee22b86764b21db4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_102c-12e0.log
    Filesize

    7KB

    MD5

    06ef0d5a772e1cd0b5d91da5bb8d967b

    SHA1

    e0cc16ae175b73084f187e6016d3a163aa5dd979

    SHA256

    669b24c192e649e8253e7558b45c12ac70809f48f776fd8c75c9b318217a5c27

    SHA512

    5c14fff1dcbc24e56e656286f1962d16f6361b1803f1eb6a8830a92daa9b8f41a44cd41eed240821c9b1fbb7dbe43c49a738026303d0bd649393b7f4a4fa7376

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_102c-12e0.log
    Filesize

    7KB

    MD5

    447a8da98ead495f2a90f812c8346731

    SHA1

    1f3c73d1eac52066061be914793170d406f8b6be

    SHA256

    3a8337851abeb97c2b484bd90f68ac2c284b080acc09400b1cbac59fa87c1108

    SHA512

    32094f600529a25839454a68875f2c60e2f66d27087b57b78adb755a6686c365eaae31212347e021902bf7ea3ed53d1a2f75973e575fa6ee3d144400e1f231e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_8d4-1128.log
    Filesize

    5KB

    MD5

    ef468d2e7e649c505b5beea8955c4333

    SHA1

    d2e28bc453180fd76d8d0a3ceb90523fb65eb887

    SHA256

    d8ce9ff6e3717f2c2538cf6213a03eed1744cb667b8e76dd122cf31c0e2bc990

    SHA512

    e80c14132b591fde65512c01653367740400cf13ff916a4c6d7a960f8abb09fa48ebf435107c04a850d9adb27147ce8c0708addad2112017d516f0a9b4894b8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_8d4-1128.log
    Filesize

    6KB

    MD5

    b5026a1437f8304194ed6bf6123e758f

    SHA1

    16c35bc0402b1b3d28e2e76f683fbb6fb3645524

    SHA256

    4f6490a4ee7e4889ea58a3590b9947b843f0a351b9f001a7dc5e99323c817cc6

    SHA512

    2bb1f132caf6ed44c1bf9204ded9b8ab310124d0dfd491d5c8ff15794b4bec6e6a3f9cc4eaa9c23f04082b4e4db276d05eb6f7b0b0ff22f955750b9234dc9107

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_8d4-1128.log
    Filesize

    7KB

    MD5

    716b9195294ea259133ce5fb1685c87a

    SHA1

    f2a38d12c739d1235e72fa4378d37e0f145fa989

    SHA256

    c4afabdfd5135e379c9e8cc14c2b6ac463b271795928ccc72506d66d820cee64

    SHA512

    f81743500d8c0a2d628fb8cbef24174576fcdb23c6a65fddca26f68bb3f2bacb43cf5ba7a2020e4ac61535ed3e29173c0dcdaecf77b8bf834d75eb264a7c588b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmp
    Filesize

    4.0MB

    MD5

    77adb580cb498135d0a82cb549188b63

    SHA1

    3f34333dee14db56ef9e26b068aa910098942f4d

    SHA256

    bbef38f8e366fbe02d5e32a221dcec0aed2507a7b69c7bd862aa11c1cc754e49

    SHA512

    8c71d984e7efd06aeac65e35e7ee9ac5f6373b8be56447fe88e328ae84a301d74f7d2231efc9ca22801dfed29747ae69ffdc86f8d02aee019a9b0718cbc408d1

    Download Submit

  • memory/2260-12-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

    Filesize

    4KB

    Download