Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12/12/2020, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
Resource
win10v20201028
General
-
Target
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
-
Size
413KB
-
MD5
3023d7526b479ea3df315a5b1779a43d
-
SHA1
b5ae71b96a28b9353a4f33c5370ac18750937c17
-
SHA256
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f
-
SHA512
67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\ProgramData\\qej\\cxtdfx.exe,explorer.exe" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 4040 created 1996 4040 WerFault.exe 77 PID 2904 created 208 2904 WerFault.exe 80 -
ServiceHost packer 8 IoCs
Detects ServiceHost packer used for .NET malware
resource yara_rule behavioral2/memory/1996-8-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1996-7-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1996-9-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1996-10-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/208-16-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/208-17-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/208-18-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/208-19-0x0000000000000000-mapping.dmp servicehost -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dls7xo = "C:\\ProgramData\\tms\\bbmny.exe" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4040 1996 WerFault.exe 77 2904 208 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4040 WerFault.exe Token: SeBackupPrivilege 4040 WerFault.exe Token: SeDebugPrivilege 4040 WerFault.exe Token: SeDebugPrivilege 2904 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 492 wrote to memory of 1996 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 77 PID 492 wrote to memory of 1996 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 77 PID 492 wrote to memory of 1996 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 77 PID 492 wrote to memory of 208 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 80 PID 492 wrote to memory of 208 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 80 PID 492 wrote to memory of 208 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 80 PID 492 wrote to memory of 636 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 83 PID 492 wrote to memory of 636 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 83 PID 492 wrote to memory of 636 492 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe 83 PID 636 wrote to memory of 1012 636 cmd.exe 86 PID 636 wrote to memory of 1012 636 cmd.exe 86 PID 636 wrote to memory of 1012 636 cmd.exe 86 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1012 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe2⤵PID:1996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2083⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe2⤵PID:208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 2043⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKeNIVpFABUmG.bat" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe3⤵
- Views/modifies file attributes
PID:1012
-
-