Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 02:20

General

  • Target

    cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe

  • Size

    148KB

  • MD5

    475f7bfbdd649d939feb3982688e214f

  • SHA1

    0a317fd6571db6e7770cf4084cdb3050f036e625

  • SHA256

    cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419

  • SHA512

    b2d9cca9c916bd556a3b1241aa09ae1ec3ca5000d7307d9d6946fb8243f76737e07f86011edb0e9bb0229445771fb2313b64b7a543c4d7950aa8ec0c665a1331

  • SSDEEP

    1536:YvtawKCWgxdXv82Oj+P2YegT/CjgmeJs2wAj:Yv+Iv8tjkLegT/8gmeTj

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
    "C:\Users\Admin\AppData\Local\Temp\cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls C:\Windows /e /p everyone:f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows /e /p everyone:f
        3⤵
          PID:3140
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\cacls.exe
          cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
          3⤵
            PID:3120
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc config ekrn start= disabled
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\SysWOW64\sc.exe
            sc config ekrn start= disabled
            3⤵
            • Launches sc.exe
            PID:3108
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im ekrn.exe /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im ekrn.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:900
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im egui.exe /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im egui.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4272
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im ScanFrm.exe /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3080
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im ScanFrm.exe /f
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:736
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe func.dll, droqp
          2⤵
            PID:3880
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /all
            2⤵
            • Gathers network information
            PID:4916
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k netsvcs -p
          1⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:608

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\func.dll

          Filesize

          37KB

          MD5

          f384de596b479af7460d2c683928bdb5

          SHA1

          bd51d3f1fa4d7b7bf6d3b26d5170e2356e9e01f5

          SHA256

          5a8e8691be891df1fa4ed90103f6f46e306c3349d3ad00b436ecd26de964d635

          SHA512

          1eb57475029ec482c33dae53f266dd6ab1b6b9d51628b7760218ce51faaba5f4a381769e1e5306a5aeadfa67d3b89e73f9b822bfbe1dd66441a8e6ff816c2809

        • C:\Windows\phpq.dll

          Filesize

          44KB

          MD5

          8a3559366a132dbcee7b52caf877f338

          SHA1

          b29b585789723848b5cd49b7a6f2dbef600ed7b3

          SHA256

          922d81604bf3edbac51ceeeb79f85384d81113418bc6fcf0fa025c0ce3f41fe0

          SHA512

          aa53fd48ef9a3281dc56a1eb59ccf82fbb9cb1291d89233541352066659c05fb9b158d1e542937c97def38597c0fe683c75320c747dd9a6f36c9e3fb1359fcdd

        • memory/1512-132-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/1512-147-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB