Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

12/03/2025, 21:32

250312-1dmynatxey 10

11/03/2025, 16:10

250311-tmgdxaxnx4 10

06/03/2025, 02:30

250306-cze8yav1az 10

Analysis

  • max time kernel
    892s
  • max time network
    896s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 16:10

General

  • Target

    23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe

  • Size

    324KB

  • MD5

    638264dabfa294ec7b31dfb89a85edbc

  • SHA1

    2029e54083f1900349c89cc49a72f914c0db943f

  • SHA256

    23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e

  • SHA512

    2bc06a4789bcdecc338a53410ffdbf4c4f7914884db9a2ab05940296824aaae5c94a33cce61f82c32d83164efbec9c53ffc4a2ba76e27f6c417d78a9a15e3d0f

  • SSDEEP

    6144:HSP8tg4knZXvKh8528ZE/PqOl4LF8SbbAkIlerfDUSwR8t:yPC5jw28ZEl4LF1bUk86bmWt

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe
    "C:\Users\Admin\AppData\Local\Temp\23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3756
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:5064
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3908
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e.exe" "C:\Users\Admin\AppData\Local\Temp\crox\crox.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:812
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1176
  • C:\Users\Admin\AppData\Local\Temp\crox\crox.exe
    C:\Users\Admin\AppData\Local\Temp\crox\crox.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1216
    • C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe
      "C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:452
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\crox\crox.exe'" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\crox\crox.exe" "C:\Users\Admin\AppData\Local\Temp\crox\crox.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_piswysao.akc.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\crox\crox.exe

    Filesize

    324KB

    MD5

    638264dabfa294ec7b31dfb89a85edbc

    SHA1

    2029e54083f1900349c89cc49a72f914c0db943f

    SHA256

    23d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e

    SHA512

    2bc06a4789bcdecc338a53410ffdbf4c4f7914884db9a2ab05940296824aaae5c94a33cce61f82c32d83164efbec9c53ffc4a2ba76e27f6c417d78a9a15e3d0f

  • C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

    Filesize

    234KB

    MD5

    6f8b0021a206e48a50986333b87a5245

    SHA1

    b650435b6e1a0cc59e2c232f83a9796770f85f96

    SHA256

    326ca48a87c1e82e1fcaf95acd5b8c09d92f712591ba88928f48e093c485c40a

    SHA512

    b7f066786f20934148d718689fbcdf830a0a04ebf46092c48b6ec06ef5a989518cb23659a7ecbcef5b689a58546f2ac688a861887611cd3ee62b8ade62b4cc27

  • C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe

    Filesize

    240KB

    MD5

    646260e1f316dd6e518d4c7a9ac6b589

    SHA1

    33eb1212fd842078b5b65d8720672582d8acb7ca

    SHA256

    8b0a871839c2e9714684cdb00cd18484780e29ee762f004d300c1fe65bb08628

    SHA512

    fc8e21267cc9141c86d490557de28e1afaebfb8d1519aca377160543b1dd825cd116d7b5bcb2e3b21a15b32f7f45505cf3c47ae6b29e4dd39c137ebaa694acad

  • memory/64-10-0x00000000750F0000-0x00000000758A0000-memory.dmp

    Filesize

    7.7MB

  • memory/64-53-0x00000000750F0000-0x00000000758A0000-memory.dmp

    Filesize

    7.7MB

  • memory/64-54-0x00000000750F0000-0x00000000758A0000-memory.dmp

    Filesize

    7.7MB

  • memory/64-7-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/64-8-0x00000000750F0000-0x00000000758A0000-memory.dmp

    Filesize

    7.7MB

  • memory/64-9-0x0000000005690000-0x000000000572C000-memory.dmp

    Filesize

    624KB

  • memory/452-75-0x00000000710B0000-0x0000000071103000-memory.dmp

    Filesize

    332KB

  • memory/452-71-0x00000000710B0000-0x0000000071103000-memory.dmp

    Filesize

    332KB

  • memory/3492-59-0x0000000000280000-0x00000000002D8000-memory.dmp

    Filesize

    352KB

  • memory/3560-11-0x00000000750FE000-0x00000000750FF000-memory.dmp

    Filesize

    4KB

  • memory/3560-12-0x00000000750F0000-0x00000000758A0000-memory.dmp

    Filesize

    7.7MB

  • memory/3560-5-0x00000000750F0000-0x00000000758A0000-memory.dmp

    Filesize

    7.7MB

  • memory/3560-3-0x0000000005F10000-0x00000000064B4000-memory.dmp

    Filesize

    5.6MB

  • memory/3560-4-0x0000000005960000-0x00000000059F2000-memory.dmp

    Filesize

    584KB

  • memory/3560-2-0x00000000058F0000-0x0000000005956000-memory.dmp

    Filesize

    408KB

  • memory/3560-1-0x0000000000690000-0x00000000006E8000-memory.dmp

    Filesize

    352KB

  • memory/3560-0-0x00000000750FE000-0x00000000750FF000-memory.dmp

    Filesize

    4KB

  • memory/3560-6-0x0000000005D80000-0x0000000005D8A000-memory.dmp

    Filesize

    40KB

  • memory/3908-28-0x00000000061E0000-0x000000000622C000-memory.dmp

    Filesize

    304KB

  • memory/3908-30-0x0000000071170000-0x00000000711BC000-memory.dmp

    Filesize

    304KB

  • memory/3908-29-0x0000000007390000-0x00000000073C2000-memory.dmp

    Filesize

    200KB

  • memory/3908-43-0x00000000074D0000-0x00000000074EA000-memory.dmp

    Filesize

    104KB

  • memory/3908-42-0x0000000007B80000-0x00000000081FA000-memory.dmp

    Filesize

    6.5MB

  • memory/3908-44-0x0000000007550000-0x000000000755A000-memory.dmp

    Filesize

    40KB

  • memory/3908-45-0x0000000007760000-0x00000000077F6000-memory.dmp

    Filesize

    600KB

  • memory/3908-46-0x00000000076E0000-0x00000000076F1000-memory.dmp

    Filesize

    68KB

  • memory/3908-47-0x0000000007720000-0x000000000772E000-memory.dmp

    Filesize

    56KB

  • memory/3908-49-0x0000000007820000-0x000000000783A000-memory.dmp

    Filesize

    104KB

  • memory/3908-50-0x0000000007800000-0x0000000007808000-memory.dmp

    Filesize

    32KB

  • memory/3908-48-0x0000000007730000-0x0000000007744000-memory.dmp

    Filesize

    80KB

  • memory/3908-41-0x00000000073D0000-0x0000000007473000-memory.dmp

    Filesize

    652KB

  • memory/3908-40-0x0000000006780000-0x000000000679E000-memory.dmp

    Filesize

    120KB

  • memory/3908-27-0x0000000006190000-0x00000000061AE000-memory.dmp

    Filesize

    120KB

  • memory/3908-16-0x0000000005490000-0x00000000054F6000-memory.dmp

    Filesize

    408KB

  • memory/3908-26-0x0000000005D20000-0x0000000006074000-memory.dmp

    Filesize

    3.3MB

  • memory/3908-15-0x00000000052F0000-0x0000000005312000-memory.dmp

    Filesize

    136KB

  • memory/3908-14-0x00000000056F0000-0x0000000005D18000-memory.dmp

    Filesize

    6.2MB

  • memory/3908-13-0x0000000002890000-0x00000000028C6000-memory.dmp

    Filesize

    216KB