Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

17/01/2025, 18:43

250117-xdcadazngk 10

Analysis

  • max time kernel
    80s
  • max time network
    101s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/01/2025, 18:43

General

  • Target

    Setup.exe

  • Size

    664.7MB

  • MD5

    94453b781953e0e6490b2e006a26c4e1

  • SHA1

    956ffc7e463d4f89d34f4fb2fffcebb236c9c923

  • SHA256

    c6eaf88c01aafc69a1f61fa9eefd16e308a5f9cf3046e6c48a061025a1dae773

  • SHA512

    c82a905a4c846d5f6d490eb909d4204a0988f4155fa23e982e31b40a898e94a4d3859d4de2753c6535c56b300727d8b90d05b4e466361d636b1e4d52347d9e04

  • SSDEEP

    98304:xMD2B5Pnm2GSxIzkPJQfRG8M1QEOyFmMQbm:xMaBBfGdG4yJQb

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4924
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:4276
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\78ceb5a6-f16c-4651-ad1d-c6011e8ef7b6.down_data

    Filesize

    555KB

    MD5

    5683c0028832cae4ef93ca39c8ac5029

    SHA1

    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

    SHA256

    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

    SHA512

    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

  • memory/1904-22-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-20-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-21-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-26-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-32-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-31-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-30-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-29-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-28-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/1904-27-0x000001B0C2150000-0x000001B0C2151000-memory.dmp

    Filesize

    4KB

  • memory/4924-3-0x0000000000400000-0x00000000007D3000-memory.dmp

    Filesize

    3.8MB

  • memory/4924-1-0x00000000023D0000-0x0000000002424000-memory.dmp

    Filesize

    336KB

  • memory/4924-0-0x00000000023D0000-0x0000000002424000-memory.dmp

    Filesize

    336KB