Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 03:45 UTC

General

  • Target

    67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe

  • Size

    75KB

  • MD5

    65d05269c8ed2a2c71376fbe3ae740f0

  • SHA1

    6d5fab16ffcddee7c55be06c74bde9eab0ff1bc6

  • SHA256

    67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e

  • SHA512

    120a18cf857713e13ff5f553c722e169c8c4b0cc52dff715e21c9513543044f00d3e525374a4bf7ec4b8582d6b1ad7abc7de7f7579745cf7aec3451a39d413fa

  • SSDEEP

    1536:Of8Rk+51yRVnQdUfyHRjuR2BHUBVZOXX2E/FZL7/:iaTy7Qd2yHRmuHULTE/FV7/

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 43 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k RPCSS
          2⤵
            PID:664
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
            2⤵
              PID:740
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService
              2⤵
                PID:832
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k NetworkService
                2⤵
                  PID:292
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:272
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    2⤵
                      PID:1028
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:872
                        • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                          wmiadap.exe /F /T /R
                          3⤵
                            PID:1764
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:796
                            • C:\Windows\system32\Dwm.exe
                              "C:\Windows\system32\Dwm.exe"
                              3⤵
                                PID:1396
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k DcomLaunch
                              2⤵
                                PID:588
                              • C:\Windows\system32\taskhost.exe
                                "taskhost.exe"
                                2⤵
                                  PID:1260
                                • C:\Windows\system32\sppsvc.exe
                                  C:\Windows\system32\sppsvc.exe
                                  2⤵
                                    PID:680
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    2⤵
                                      PID:1804
                                    • C:\Windows\SysWOW64\nyrtuc.exe
                                      C:\Windows\SysWOW64\nyrtuc.exe
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Enumerates connected drives
                                      • Drops file in System32 directory
                                      • Drops file in Program Files directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious behavior: MapViewOfSection
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:972
                                  • C:\Windows\system32\winlogon.exe
                                    winlogon.exe
                                    1⤵
                                      PID:420
                                    • C:\Windows\system32\csrss.exe
                                      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                      1⤵
                                        PID:380
                                      • C:\Windows\system32\wininit.exe
                                        wininit.exe
                                        1⤵
                                          PID:368
                                          • C:\Windows\system32\lsm.exe
                                            C:\Windows\system32\lsm.exe
                                            2⤵
                                              PID:488
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1424
                                              • C:\Users\Admin\AppData\Local\Temp\67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe
                                                "C:\Users\Admin\AppData\Local\Temp\67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e.exe"
                                                2⤵
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious behavior: RenamesItself
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:900

                                            Network

                                              No results found
                                            • 103.247.88.146:1288
                                              nyrtuc.exe
                                              152 B
                                              3
                                            • 103.247.88.146:1288
                                              nyrtuc.exe
                                              152 B
                                              3
                                            • 103.247.88.146:1288
                                              nyrtuc.exe
                                              152 B
                                              3
                                            • 103.247.88.146:1288
                                              nyrtuc.exe
                                              152 B
                                              3
                                            • 103.247.88.146:1288
                                              nyrtuc.exe
                                              152 B
                                              3
                                            • 103.247.88.146:1288
                                              nyrtuc.exe
                                              52 B
                                              1
                                            No results found

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\WINDOWS\SysWOW64\NYRTUC.EXE

                                              Filesize

                                              75KB

                                              MD5

                                              65d05269c8ed2a2c71376fbe3ae740f0

                                              SHA1

                                              6d5fab16ffcddee7c55be06c74bde9eab0ff1bc6

                                              SHA256

                                              67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e

                                              SHA512

                                              120a18cf857713e13ff5f553c722e169c8c4b0cc52dff715e21c9513543044f00d3e525374a4bf7ec4b8582d6b1ad7abc7de7f7579745cf7aec3451a39d413fa

                                            • C:\Windows\SysWOW64\nyrtuc.exe

                                              Filesize

                                              75KB

                                              MD5

                                              65d05269c8ed2a2c71376fbe3ae740f0

                                              SHA1

                                              6d5fab16ffcddee7c55be06c74bde9eab0ff1bc6

                                              SHA256

                                              67062d71e2b97502280296529ed52439993d4a51bc5edc434f83b1515393cc3e

                                              SHA512

                                              120a18cf857713e13ff5f553c722e169c8c4b0cc52dff715e21c9513543044f00d3e525374a4bf7ec4b8582d6b1ad7abc7de7f7579745cf7aec3451a39d413fa

                                            • \Windows\SysWOW64\gei33.dll

                                              Filesize

                                              84KB

                                              MD5

                                              4ec8aa41321a32ff157d1a4c6808d301

                                              SHA1

                                              f266be7a588232faf55d7367de3bbec0b44e7416

                                              SHA256

                                              eb4b825d6e6335952fcf9eb93a0e3808cc4955345d688909a781cca7f9a8f918

                                              SHA512

                                              e66ff26be4a0a2f521830a0914280772b3ba617b185ba8ead6c60d48e7f75d20da0c2014f5ed0f3d97c60f9d8e2eec5dab867f275fd48cf7dd2faa89df79c5b9

                                            • memory/900-55-0x0000000000400000-0x0000000000418000-memory.dmp

                                              Filesize

                                              96KB

                                            • memory/900-56-0x000000007EF90000-0x000000007EF9C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/972-57-0x0000000000400000-0x0000000000418000-memory.dmp

                                              Filesize

                                              96KB

                                            • memory/972-60-0x0000000076071000-0x0000000076073000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/972-61-0x0000000000400000-0x0000000000418000-memory.dmp

                                              Filesize

                                              96KB

                                            We care about your privacy.

                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.