Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

keyauth By...s..scr

windows7-x64

10

keyauth By...s..scr

windows10-2004-x64

10

Resubmissions

22/09/2022, 11:18

220922-nektgabcf6 10

22/09/2022, 11:03

220922-m5pdxafacl 10

Analysis

  • max time kernel
    207s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    22/09/2022, 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keyauth Bypass‮nls..scr

  • Size

    2.6MB

  • MD5

    5361a2f1d174599ebc5b6cc31daf86f2

  • SHA1

    ade74d0abac77203629b81513a739f11b39a52ef

  • SHA256

    55af1ee79176f2503dc6cee5464344e6bbcaa4e37b4ae7217922c8e56ec395cf

  • SHA512

    96381c583b975e4c2cd7ec70bd955936c48a9737036234241e37e73baf81c96cb28ab28d2fe3c53ed1e8ce0be641fba653d7e6877770cb8f60fb32f2c7b703b4

  • SSDEEP

    49152:j8ASxr7FEi5LbunhHpj5G3FVhIdag5SNHeGJWrz:jTSt7FEGnCdpj5G3FVq18gGJ

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\keyauth Bypass‮nls..scr
      "C:\Users\Admin\AppData\Local\Temp\keyauth Bypass‮nls..scr" /S
      2⤵
      • Modifies WinLogon for persistence
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Gngwnbcqyucvbwsgwyojoproject.sln
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Gngwnbcqyucvbwsgwyojoproject.sln"
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1132

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Gngwnbcqyucvbwsgwyojoproject.sln
    Filesize

    1KB

    MD5

    aeee58518da7889951bf8aae1696ce79

    SHA1

    a7fe2d1ca76bbdf519a724baf714cb53341617ac

    SHA256

    e85a8310a266e15e043261400ef7caef5f19d5fb60fff0c359db292d172e2ca7

    SHA512

    f54e34e805225b7d56e1a9a48b5f41939c4a525dfdd9d8f718161794f66bcfb66459689738615be8eccd54998ec173c24b565c8252b09ca0e23c62117f18b77b

    Download Submit

  • memory/320-57-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1132-60-0x00000000758B1000-0x00000000758B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1392-65-0x0000000006940000-0x000000000699C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1448-58-0x00000000022C7000-0x00000000022E6000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1448-54-0x0000000000BD0000-0x0000000000E70000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1448-55-0x000000001B120000-0x000000001B384000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1448-62-0x0000000077190000-0x0000000077339000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1448-63-0x0000000077190000-0x0000000077339000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1448-64-0x00000000022C7000-0x00000000022E6000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1448-66-0x00000000022C7000-0x00000000022E6000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1448-67-0x0000000077190000-0x0000000077339000-memory.dmp

    Filesize

    1.7MB

    Download