Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2024, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
ScanPMT.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ScanPMT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ohbpyoj.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ohbpyoj.dll
Resource
win10v2004-20241007-en
General
-
Target
ScanPMT.exe
-
Size
593KB
-
MD5
455769c893c56ea88021417a63a0f9ad
-
SHA1
0f0bcec8e151f30db07620da3573e6202bf6bb08
-
SHA256
77901588d513788e7bba467897bd688367197dfe4bdace3bf762ff1de24db3a3
-
SHA512
6098243876ef9f960d60f0e6b2c6e5ff0e848fd89f532f67b62b69cb487e44947a1ac1feb9d84df6847f13344afa1c892e67bc89e4916896f48a8f06191fd78c
-
SSDEEP
12288:/5QkJecOuNPel0EI+TCV8se7DEs5CSt20MXmMU4pJym:zQcOuhex+A7DEEvt20M2f2Im
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1732 ScanPMT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1632 1732 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScanPMT.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1996 1732 ScanPMT.exe 83 PID 1732 wrote to memory of 1996 1732 ScanPMT.exe 83 PID 1732 wrote to memory of 1996 1732 ScanPMT.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"C:\Users\Admin\AppData\Local\Temp\ScanPMT.exe"2⤵PID:1996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 9122⤵
- Program crash
PID:1632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1732 -ip 17321⤵PID:1388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5f4d79c46904300d09db5984132baf59c
SHA10d7f273647a202126ce60d81c4fcccd8d3481231
SHA256d0caae610e4e945c5bbd52613d7ef2eeb9aa9fd58f731dae92da9a0feb617b0c
SHA5124276b9abd57ab926e326fb1939fb37ceef2219cb1e2bc5f3ea7091b3d2ea9600a2e18ad1eeb79d568a77294803cbab66ac8d4fd5413b200dbdbe8138114485ed