Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    152s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20/12/2024, 13:39

General

  • Target

    SpyNote v7.0‌‌/ico.scr

  • Size

    236KB

  • MD5

    4abcadf52f11d5db53bd15b30e0e7e70

  • SHA1

    25b0ffaae418147757a285bbb133b1d5126680fc

  • SHA256

    e97beacff7ed7401d4a0563c06af3f25047775948b2ed2796ae7a8711d3350d3

  • SHA512

    996e3dfef22a358ee5a1b4c4bdc75507f683c06a22e507e7289dcff0eb0143adaacc70b518fdf8bc32625b624d4887a64c579e8eacee853222aee992543eb6d9

  • SSDEEP

    3072:GVr3lajQFISWejg61Pzjj43o5GYi5h6A/QBaRd9TrxTzY:GVr3YceSW8gybiYiivudP

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Using powershell.exe command.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\ico.scr
    "C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\ico.scr" /S
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Users\Admin\AppData\LocalpVxfUiqNiq.exe
      "C:\Users\Admin\AppData\LocalpVxfUiqNiq.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\Disable-Windows-Defender.exe
        "C:\Windows\Disable-Windows-Defender.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:8
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3452
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3832
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3936
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2260
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4820
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4708
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3196
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3856
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2176
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4464
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1056
          4⤵
          • Program crash
          PID:2212
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\LocalKIirypGzQy.jpg"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3788
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:3604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2084 -ip 2084
      1⤵
        PID:940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalKIirypGzQy.jpg

        Filesize

        9KB

        MD5

        18406451251bfe44fc112d1263581129

        SHA1

        0b611355a35fda665d93759565e24b6ca8b21c71

        SHA256

        a991259a9f4044aa1206b0353f8c32a49817a63326b56b89f62fe38e785e3525

        SHA512

        32e4b2d141de151649430f88994ff2449bf7864745b6fbec4d5ea4d0de9dd6fb90886af50a142ef588cab6c9cf109bac55b8cf0869f8b7b1df23fdd043d971a6

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        5e22dd1cda88782a1f52f76e748ef957

        SHA1

        3231826619a06fa541e2bfb21da445bd7013b5ac

        SHA256

        73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

        SHA512

        75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        0f1bf4207c100442afb6f174495b7e10

        SHA1

        77ab64a201e4c57bbda4f0c3306bee76e9513b44

        SHA256

        c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

        SHA512

        29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        50a8221b93fbd2628ac460dd408a9fc1

        SHA1

        7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

        SHA256

        46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

        SHA512

        27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3pfxztgh.ul3.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\LocalpVxfUiqNiq.exe

        Filesize

        75KB

        MD5

        b231a878877ea13b2dfe442b406e56c2

        SHA1

        e1fdc12fb480d964de10445a168cb43e74a19903

        SHA256

        96b965ca96aa640a3d68b3084297e82691b43831da30bb7c24cb1939db21515a

        SHA512

        0c429be99c4c359742665875edb4c926c81b64d5b7ac35d96de40ffd7260b5d6d7c85d73207795b03e66d415db3c524e6c0dee2d5e07cb342adcdfd6bffc60e7

      • C:\Windows\Disable-Windows-Defender.exe

        Filesize

        10KB

        MD5

        6af766cdaaee7f7ae97d496714d7e0ec

        SHA1

        3f8df9b3029a2ab30eb89e5e1c41a45fd68e96bc

        SHA256

        97df8777f75fe050bf23dbe180e3bfa2ee4c36c1f93f209cb319b640e7f02e14

        SHA512

        ad18783a9290b3999a91cbc05d70419b155dbdbcb576fcdd55996cb5ef11f2045fa4d926813a886ecd6b5f8be82d6c58203c0cca70e34f04c6c2d35de511d476

      • C:\Windows\svchost.exe

        Filesize

        60KB

        MD5

        8a7615bc1f4e0edf735dd4fb9380b099

        SHA1

        c3e7d6fbc8f50000246c84cad624b654d4a96aa8

        SHA256

        27472a405e57519152fdae9db51c457d8b7ba289bc2feefcc5a772dee8664cc7

        SHA512

        dd2da92f96321a28a3e4250f4ec796acb3e89ec97c2b01740d65110bad3d408b73df9db7aecfea1779a8f7ec4770f201df61f963fb0f3028d9be618573d54025

      • memory/8-55-0x0000024978B90000-0x0000024978BB2000-memory.dmp

        Filesize

        136KB

      • memory/584-24-0x00007FFB42350000-0x00007FFB42CF1000-memory.dmp

        Filesize

        9.6MB

      • memory/584-0-0x00007FFB42605000-0x00007FFB42606000-memory.dmp

        Filesize

        4KB

      • memory/584-3-0x00007FFB42350000-0x00007FFB42CF1000-memory.dmp

        Filesize

        9.6MB

      • memory/584-2-0x00007FFB42350000-0x00007FFB42CF1000-memory.dmp

        Filesize

        9.6MB

      • memory/2084-54-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

        Filesize

        88KB

      • memory/2084-65-0x00000000080C0000-0x00000000080D4000-memory.dmp

        Filesize

        80KB

      • memory/2084-66-0x0000000008170000-0x000000000820C000-memory.dmp

        Filesize

        624KB

      • memory/2084-67-0x00000000087C0000-0x0000000008D66000-memory.dmp

        Filesize

        5.6MB

      • memory/2084-68-0x00000000082B0000-0x0000000008342000-memory.dmp

        Filesize

        584KB

      • memory/2280-52-0x0000000000020000-0x0000000000028000-memory.dmp

        Filesize

        32KB