Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 20:11

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Signatures

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\Files\444.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Users\Admin\AppData\Roaming\conhost.exe
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3644
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4356
    • C:\Users\Admin\AppData\Local\Temp\Files\run.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\run.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\27C.tmp\27D.tmp\27E.bat C:\Users\Admin\AppData\Local\Temp\Files\run.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\system32\icacls.exe
          icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
          4⤵
          • Modifies file permissions
          PID:1952
        • C:\Windows\system32\icacls.exe
          icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c
          4⤵
          • Modifies file permissions
          PID:1584
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2416
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"
            4⤵
            • Views/modifies file attributes
            PID:5008
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"
            4⤵
            • Views/modifies file attributes
            PID:3508
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:2252
            • C:\Windows\system32\schtasks.exe
              SchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F
              4⤵
                PID:2896
              • C:\Windows\system32\schtasks.exe
                SchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F
                4⤵
                  PID:2168
                • C:\Windows\system32\schtasks.exe
                  SchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F
                  4⤵
                    PID:3180
                  • C:\Windows\system32\schtasks.exe
                    SchTasks /Delete /TN "Fix Getting Devices" /F
                    4⤵
                      PID:4148
                    • C:\Windows\system32\schtasks.exe
                      SchTasks /Delete /TN "Windows Optimize" /F
                      4⤵
                        PID:640
                      • C:\Windows\system32\schtasks.exe
                        SchTasks /Delete /TN "ChangeWallpaper" /F
                        4⤵
                          PID:4948

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\27C.tmp\27D.tmp\27E.bat

                    Filesize

                    1KB

                    MD5

                    badacd09f87be0512dc647adc35d85eb

                    SHA1

                    a8313f919df88c40ad5750e18ac7006ac8bc9da6

                    SHA256

                    77ed2cbe0b5588bcdc370b9c2f2d99b3191e54cd87e8a132e3d01aebb11fa5db

                    SHA512

                    fb3c8f1130459304d9bc59d373203c65c7c5318cb3e2986d5ccb31f8f49118242a89ae8eaa6295bb3ef986c147f57826b298328aa62bc482db55f5fb7ed66986

                  • C:\Users\Admin\AppData\Local\Temp\Files\444.exe

                    Filesize

                    37KB

                    MD5

                    fb0bdd758f8a9f405e6af2358da06ae1

                    SHA1

                    6c283ab5e49e6fe3a93a996f850a5639fc49e3f5

                    SHA256

                    9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf

                    SHA512

                    71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253

                  • C:\Users\Admin\AppData\Local\Temp\Files\run.exe

                    Filesize

                    88KB

                    MD5

                    4c2bc1df6a253aeedb93fca6703c944c

                    SHA1

                    f9b33cc3ead7af759cdd205f489ec29fde4c954d

                    SHA256

                    daaa52e4529cd43d8293010ad6125dff9ccba7cacdeea7f6d0dc02572e682b5f

                    SHA512

                    145217ec581c2597dc066684f68f119f0a2579f7e9000d6cc1760c411e6a73ed7b957479ea53b56899fefb99ddca98bca91d1b8fc43cedefa49ed95a7c173944

                  • memory/4076-3-0x0000000074680000-0x0000000074E30000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4076-4-0x000000007468E000-0x000000007468F000-memory.dmp

                    Filesize

                    4KB

                  • memory/4076-5-0x0000000074680000-0x0000000074E30000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4076-0-0x000000007468E000-0x000000007468F000-memory.dmp

                    Filesize

                    4KB

                  • memory/4076-2-0x0000000005560000-0x00000000055FC000-memory.dmp

                    Filesize

                    624KB

                  • memory/4076-1-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

                    Filesize

                    32KB

                  • memory/4692-14-0x000000006F7E2000-0x000000006F7E3000-memory.dmp

                    Filesize

                    4KB

                  • memory/4692-15-0x000000006F7E0000-0x000000006FD91000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/4692-16-0x000000006F7E0000-0x000000006FD91000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/4692-36-0x000000006F7E0000-0x000000006FD91000-memory.dmp

                    Filesize

                    5.7MB