Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/01/2021, 08:35

210125-cq2gjr6x2s 10

30/07/2019, 12:34

190730-twrv8j2yqn 0

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    25/01/2021, 08:35

General

  • Target

    m)hhm.exe

  • Size

    3.5MB

  • MD5

    6bc5f53d4082f12dd83aca45bae81e64

  • SHA1

    1fb4cd155393db202b0ceed59ff49a10329b2592

  • SHA256

    f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f

  • SHA512

    05b430fe0a57373098e648fa19e3ef47b5e64ecb6fca414e8b7b66c23d7c6da626f6ac3c15115edde4421344b0ead7a6ea015791f42d853fe14af631cbca831e

Score
10/10

Malware Config

Extracted

Family

zebrocy

C2

http://89.37.226.148/technet-support/library/online-service-description.php?id_name=

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Collects information from the system 1 TTPs 1 IoCs

    Uses WMIC.exe to find detailed system information.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\m)hhm.exe
    "C:\Users\Admin\AppData\Local\Temp\m)hhm.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C VOL
      2⤵
        PID:2032
      • C:\Windows\SysWOW64\systeminfo.exe
        systeminfo
        2⤵
        • Gathers system information
        PID:1264
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        2⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:336
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C "wmic logicaldisk get caption,description,drivetype,providername,size"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic logicaldisk get caption,description,drivetype,providername,size
          3⤵
          • Collects information from the system
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe
        2⤵
          PID:596
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f
            3⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:1156

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1652-2-0x0000000000400000-0x000000000079B000-memory.dmp

        Filesize

        3.6MB

      • memory/1652-3-0x0000000075571000-0x0000000075573000-memory.dmp

        Filesize

        8KB