Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
Resource
win10v2004-20220812-en
General
-
Target
77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
-
Size
116KB
-
MD5
9f00d80eb835f7f484268d57e6a6ef03
-
SHA1
6497fceeb3aca83dc5ef8cc2ef0b1e3ae99bb7c8
-
SHA256
77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe
-
SHA512
e2f9c946c06ad45f315723d7540b8372d1a3d3b6ace3c21f9ecd771918e74130e18148c8615e30aab7d5e6d46218a2eba5a3e286e7de0bd02338e0450ff5947d
-
SSDEEP
768:KBdqsf0UiNVqTIF+GCgqqIVQIJ8T7R4jpz:Q0jUmQdQIJW7REd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2032 r05012.exe -
Loads dropped DLL 1 IoCs
pid Process 2032 r05012.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rpcss.dll r05012.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll r05012.exe File created C:\Windows\SysWOW64\sh05012.dll r05012.exe File created C:\Windows\SysWOW64\r05012.exe 77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe File opened for modification C:\Windows\SysWOW64\r05012.exe 77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe File created C:\Windows\SysWOW64\sh05012.ini r05012.exe File created C:\Windows\SysWOW64\csrss.dll r05012.exe File opened for modification C:\Windows\SysWOW64\csrss.dll r05012.exe File opened for modification C:\Windows\SysWOW64\sh05012.dll r05012.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2032 r05012.exe 2032 r05012.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 r05012.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2032 2420 77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe 78 PID 2420 wrote to memory of 2032 2420 77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe 78 PID 2420 wrote to memory of 2032 2420 77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe 78 PID 2032 wrote to memory of 3060 2032 r05012.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe"C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\r05012.exeC:\Windows\system32\r05012.exe C:\Users\Admin\AppData\Local\Temp\~e56d016.~~~ test C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD57af0a427adbeb10d8fd085ac286e0133
SHA1210ba973ea23dc266b44554cd2e5c62874173857
SHA2562954ed080ca4b5dd141f164982004aa0fd18cc82f0ad59b695f50139b29b3b05
SHA512b9c54a41207e9c40d2ac31d333fced14ca4fa44353b89b320aa08d6ed22d7b0cafcbb59fc2879ddb1f87fae77df3e02fec6d90d7d626c7e52eb7ecee30ace222
-
Filesize
45KB
MD57af0a427adbeb10d8fd085ac286e0133
SHA1210ba973ea23dc266b44554cd2e5c62874173857
SHA2562954ed080ca4b5dd141f164982004aa0fd18cc82f0ad59b695f50139b29b3b05
SHA512b9c54a41207e9c40d2ac31d333fced14ca4fa44353b89b320aa08d6ed22d7b0cafcbb59fc2879ddb1f87fae77df3e02fec6d90d7d626c7e52eb7ecee30ace222
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641