Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 07:10

General

  • Target

  • Size

    330KB

  • MD5

    8c26c5bb599b606cc549ceef0d9d2da3

  • SHA1

    86a373936df7e753f7284efc63bf8970e9a56870

  • SHA256

    acc791703bc6e6ec9dcad7ef28ea5bcd1cf70f0a17412b28078daa66df5989d8

  • SHA512

    f05012ab52e2e88f0342d0a9fc52be210cdb4895035c4854592f350e24ddbcf48a710c25285c73a0462d51fe937540d491f5ce376e226558398cc1eb7bab2873

  • SSDEEP

    6144:ypBFADu1hgO8uoHKm9bDSN23GqcgCC/5t:sM6TgO1oHbHSN2334O

Malware Config

Signatures

  • Renames multiple (6533) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\[email protected]" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\system32\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\[email protected]" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2208
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Windows\system32\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
        3⤵
          PID:3240
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\#Recover-Files.txt

      Filesize

      449B

      MD5

      e2a59a33e6c827a3317aa009e702e816

      SHA1

      003fa7c8adb28bcb99468f7e0b738308858b6af4

      SHA256

      ad3342ff420c93b547ac3ecd7cfb352bba70a57b67ff5985f2442507decf9f57

      SHA512

      f4c50931db6d051ac62217dca3e5d5ac080b02fda58bd9cb93a81553f6b8cf8369845e87e64e1d378d1fb5749ceadfde9c2b1eb142b512c7200dda5fe56dab99

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

      Filesize

      13KB

      MD5

      568e6faca87f87025e68ef49fee6c134

      SHA1

      f642ff7d0369df1baa97172468333f70a2a9a585

      SHA256

      149852c3f345ea1f31dbe8e37501dcd4f07bd76c34fc1643f1dc0f6d6b1e9487

      SHA512

      901cecc0de0e58ea7462097d8fbafc7501661fbe4f629b15e93c27e7baf0a69f3adcffc8e6aac6dd4d421f593fc96e833540066995a9a771f8d016ef08f68037

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

      Filesize

      14KB

      MD5

      37355643f47056ca0448ed30082a0397

      SHA1

      18abc2cfe19859ab70e37112eabfb3a7c77fa28e

      SHA256

      36faa1f6f73f09dc06b66bf45136845f79b60ab959f7ba7f31d29fb42962d700

      SHA512

      b68dcfd342d3ff2508cef21288b0a5acb1c75c6a7ce57a1be7a88b4c9d614192fdcd4af539e812784de4df786e4e23006a15eb1d674b7fbe256c7b3a8b43924c