Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
Resource
win10v2004-20220812-en
General
-
Target
cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe
-
Size
148KB
-
MD5
475f7bfbdd649d939feb3982688e214f
-
SHA1
0a317fd6571db6e7770cf4084cdb3050f036e625
-
SHA256
cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419
-
SHA512
b2d9cca9c916bd556a3b1241aa09ae1ec3ca5000d7307d9d6946fb8243f76737e07f86011edb0e9bb0229445771fb2313b64b7a543c4d7950aa8ec0c665a1331
-
SSDEEP
1536:YvtawKCWgxdXv82Oj+P2YegT/CjgmeJs2wAj:Yv+Iv8tjkLegT/8gmeTj
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\pcidump.sys cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe -
Loads dropped DLL 1 IoCs
pid Process 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe File opened for modification C:\autorun.inf cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\func.dll cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9BD8CA53-E83F-4F3D-B47E-64F3EC08DC72}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{30125199-E203-493D-AB7C-4733C6B2EB81}.catalogItem svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\phpq.dll cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3108 sc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4916 ipconfig.exe -
Kills process with taskkill 3 IoCs
pid Process 736 taskkill.exe 900 taskkill.exe 4272 taskkill.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 736 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 900 taskkill.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1880 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 75 PID 1512 wrote to memory of 1880 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 75 PID 1512 wrote to memory of 1880 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 75 PID 1512 wrote to memory of 2036 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 76 PID 1512 wrote to memory of 2036 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 76 PID 1512 wrote to memory of 2036 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 76 PID 1512 wrote to memory of 3928 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 77 PID 1512 wrote to memory of 3928 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 77 PID 1512 wrote to memory of 3928 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 77 PID 1512 wrote to memory of 1824 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 78 PID 1512 wrote to memory of 1824 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 78 PID 1512 wrote to memory of 1824 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 78 PID 1512 wrote to memory of 3036 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 80 PID 1512 wrote to memory of 3036 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 80 PID 1512 wrote to memory of 3036 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 80 PID 1512 wrote to memory of 3080 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 81 PID 1512 wrote to memory of 3080 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 81 PID 1512 wrote to memory of 3080 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 81 PID 3036 wrote to memory of 4272 3036 cmd.exe 89 PID 3036 wrote to memory of 4272 3036 cmd.exe 89 PID 3036 wrote to memory of 4272 3036 cmd.exe 89 PID 1824 wrote to memory of 900 1824 cmd.exe 88 PID 1824 wrote to memory of 900 1824 cmd.exe 88 PID 1824 wrote to memory of 900 1824 cmd.exe 88 PID 3080 wrote to memory of 736 3080 cmd.exe 87 PID 3080 wrote to memory of 736 3080 cmd.exe 87 PID 3080 wrote to memory of 736 3080 cmd.exe 87 PID 3928 wrote to memory of 3108 3928 cmd.exe 90 PID 3928 wrote to memory of 3108 3928 cmd.exe 90 PID 3928 wrote to memory of 3108 3928 cmd.exe 90 PID 1880 wrote to memory of 3140 1880 cmd.exe 91 PID 1880 wrote to memory of 3140 1880 cmd.exe 91 PID 1880 wrote to memory of 3140 1880 cmd.exe 91 PID 2036 wrote to memory of 3120 2036 cmd.exe 92 PID 2036 wrote to memory of 3120 2036 cmd.exe 92 PID 2036 wrote to memory of 3120 2036 cmd.exe 92 PID 1512 wrote to memory of 3880 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 94 PID 1512 wrote to memory of 3880 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 94 PID 1512 wrote to memory of 3880 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 94 PID 1512 wrote to memory of 4916 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 95 PID 1512 wrote to memory of 4916 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 95 PID 1512 wrote to memory of 4916 1512 cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe"C:\Users\Admin\AppData\Local\Temp\cf3b3867bcaa43291397b34a5d5aef730ecf529c2e53d898a98bcc39a572a419.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows /e /p everyone:f2⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows /e /p everyone:f3⤵PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f3⤵PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config ekrn start= disabled2⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled3⤵
- Launches sc.exe
PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ekrn.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im egui.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im egui.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ScanFrm.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ScanFrm.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe func.dll, droqp2⤵PID:3880
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:4916
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5f384de596b479af7460d2c683928bdb5
SHA1bd51d3f1fa4d7b7bf6d3b26d5170e2356e9e01f5
SHA2565a8e8691be891df1fa4ed90103f6f46e306c3349d3ad00b436ecd26de964d635
SHA5121eb57475029ec482c33dae53f266dd6ab1b6b9d51628b7760218ce51faaba5f4a381769e1e5306a5aeadfa67d3b89e73f9b822bfbe1dd66441a8e6ff816c2809
-
Filesize
44KB
MD58a3559366a132dbcee7b52caf877f338
SHA1b29b585789723848b5cd49b7a6f2dbef600ed7b3
SHA256922d81604bf3edbac51ceeeb79f85384d81113418bc6fcf0fa025c0ce3f41fe0
SHA512aa53fd48ef9a3281dc56a1eb59ccf82fbb9cb1291d89233541352066659c05fb9b158d1e542937c97def38597c0fe683c75320c747dd9a6f36c9e3fb1359fcdd