Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 06:49

General

  • Target

    71adda8fa5a923661084ec74ec3aac38bef4d7efdc264d8ed2a5bead8283a753.exe

  • Size

    32KB

  • MD5

    814fe4f5499e9e2190c9afc803193b5e

  • SHA1

    0a965f75f670d5a697785b28fc3d7e33e029ef0b

  • SHA256

    71adda8fa5a923661084ec74ec3aac38bef4d7efdc264d8ed2a5bead8283a753

  • SHA512

    d3da9e56e2a9c97f7351ad41e75c5bf072a087fe5ef59c0cf24f7dfa038e62d6f0ad236295a6568489d8e64bdfc39ae04b06099549e955d94785b1444a5683ef

  • SSDEEP

    768:nRIluOtkU2CW2sfHx1GsPCcA6fxVgj3tjNrldHBkcsxNb3+:RBOtVAp9AAxVgjdj/tsXb3+

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71adda8fa5a923661084ec74ec3aac38bef4d7efdc264d8ed2a5bead8283a753.exe
    "C:\Users\Admin\AppData\Local\Temp\71adda8fa5a923661084ec74ec3aac38bef4d7efdc264d8ed2a5bead8283a753.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:424
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
        PID:3236
      • C:\Users\Admin\AppData\Local\Temp\sd8..exe
        C:\Users\Admin\AppData\Local\Temp\\\sd8..exe
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe
          3⤵
            PID:5084
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c rd /S /Q \\.\%temp%\as01.exe
            3⤵
              PID:1204
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              3⤵
              • Modifies registry class
              PID:4560
            • C:\Users\Admin\AppData\Local\Temp\as01.exe
              C:\Users\Admin\AppData\Local\Temp\\as01.exe 10.127.0.1
              3⤵
              • Executes dropped EXE
              PID:2400
            • C:\Users\Admin\AppData\Local\Temp\as01.exe
              C:\Users\Admin\AppData\Local\Temp\\as01.exe 10.127.0.2
              3⤵
              • Executes dropped EXE
              PID:4024
            • C:\Users\Admin\AppData\Local\Temp\as01.exe
              C:\Users\Admin\AppData\Local\Temp\\as01.exe 10.127.0.3
              3⤵
              • Executes dropped EXE
              PID:1048
            • C:\Users\Admin\AppData\Local\Temp\as01.exe
              C:\Users\Admin\AppData\Local\Temp\\as01.exe 10.127.0.4
              3⤵
              • Executes dropped EXE
              PID:2548
            • C:\Users\Admin\AppData\Local\Temp\as01.exe
              C:\Users\Admin\AppData\Local\Temp\\as01.exe 10.127.0.5
              3⤵
              • Executes dropped EXE
              PID:2580
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
          1⤵
          • Drops file in System32 directory
          PID:1920
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
          1⤵
            PID:3748
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
            1⤵
            • Drops file in System32 directory
            PID:3464

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\a1s1d1.dll

            Filesize

            1.6MB

            MD5

            e0e12856ca90be7f5ab8dfc0f0313078

            SHA1

            cc5accf48b8e6c2fd39d1f800229cdbb54305518

            SHA256

            81ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619

            SHA512

            162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6

          • C:\Users\Admin\AppData\Local\Temp\as01.exe

            Filesize

            3KB

            MD5

            0ba4f5222dc67c5564897193eec15302

            SHA1

            7e75035c5b7dfbb2f13b8e4f68d91865b2667bd9

            SHA256

            5c68761b4d02815e710475c47633185655ba4077d24672bc1096fcbb649cd8cc

            SHA512

            872e38aae059b434b7bc9f3e646ca795fbec00d677bc44d026a12fa3b473dcc4f77f4a14c734de1826fa83db10e791145c350552cc25aa21dd8fd751d74fecda

          • C:\Users\Admin\AppData\Local\Temp\as01.exe

            Filesize

            3KB

            MD5

            0ba4f5222dc67c5564897193eec15302

            SHA1

            7e75035c5b7dfbb2f13b8e4f68d91865b2667bd9

            SHA256

            5c68761b4d02815e710475c47633185655ba4077d24672bc1096fcbb649cd8cc

            SHA512

            872e38aae059b434b7bc9f3e646ca795fbec00d677bc44d026a12fa3b473dcc4f77f4a14c734de1826fa83db10e791145c350552cc25aa21dd8fd751d74fecda

          • C:\Users\Admin\AppData\Local\Temp\as01.exe

            Filesize

            3KB

            MD5

            0ba4f5222dc67c5564897193eec15302

            SHA1

            7e75035c5b7dfbb2f13b8e4f68d91865b2667bd9

            SHA256

            5c68761b4d02815e710475c47633185655ba4077d24672bc1096fcbb649cd8cc

            SHA512

            872e38aae059b434b7bc9f3e646ca795fbec00d677bc44d026a12fa3b473dcc4f77f4a14c734de1826fa83db10e791145c350552cc25aa21dd8fd751d74fecda

          • C:\Users\Admin\AppData\Local\Temp\as01.exe

            Filesize

            3KB

            MD5

            0ba4f5222dc67c5564897193eec15302

            SHA1

            7e75035c5b7dfbb2f13b8e4f68d91865b2667bd9

            SHA256

            5c68761b4d02815e710475c47633185655ba4077d24672bc1096fcbb649cd8cc

            SHA512

            872e38aae059b434b7bc9f3e646ca795fbec00d677bc44d026a12fa3b473dcc4f77f4a14c734de1826fa83db10e791145c350552cc25aa21dd8fd751d74fecda

          • C:\Users\Admin\AppData\Local\Temp\as01.exe

            Filesize

            3KB

            MD5

            0ba4f5222dc67c5564897193eec15302

            SHA1

            7e75035c5b7dfbb2f13b8e4f68d91865b2667bd9

            SHA256

            5c68761b4d02815e710475c47633185655ba4077d24672bc1096fcbb649cd8cc

            SHA512

            872e38aae059b434b7bc9f3e646ca795fbec00d677bc44d026a12fa3b473dcc4f77f4a14c734de1826fa83db10e791145c350552cc25aa21dd8fd751d74fecda

          • C:\Users\Admin\AppData\Local\Temp\as01.exe

            Filesize

            3KB

            MD5

            0ba4f5222dc67c5564897193eec15302

            SHA1

            7e75035c5b7dfbb2f13b8e4f68d91865b2667bd9

            SHA256

            5c68761b4d02815e710475c47633185655ba4077d24672bc1096fcbb649cd8cc

            SHA512

            872e38aae059b434b7bc9f3e646ca795fbec00d677bc44d026a12fa3b473dcc4f77f4a14c734de1826fa83db10e791145c350552cc25aa21dd8fd751d74fecda

          • C:\Users\Admin\AppData\Local\Temp\sd8..exe

            Filesize

            18KB

            MD5

            4fd3fdabef4b8947d96e4685367cc9fe

            SHA1

            025fc37212e7935a7820278a3dfd57a1b7c000f2

            SHA256

            6d7d1dc6416725217d24d5448b93ae597d48eb474793c1d5cfec893d8a609fd2

            SHA512

            4796a3f8a8d84890fe545373b883d9e8cb9f120a5a09b134192a1a7c3b2e5633291ad41f00598ff3869d48fd9beb397eb76e26a0815f0dc81a81345f48f03863

          • C:\Users\Admin\AppData\Local\Temp\sd8..exe

            Filesize

            18KB

            MD5

            4fd3fdabef4b8947d96e4685367cc9fe

            SHA1

            025fc37212e7935a7820278a3dfd57a1b7c000f2

            SHA256

            6d7d1dc6416725217d24d5448b93ae597d48eb474793c1d5cfec893d8a609fd2

            SHA512

            4796a3f8a8d84890fe545373b883d9e8cb9f120a5a09b134192a1a7c3b2e5633291ad41f00598ff3869d48fd9beb397eb76e26a0815f0dc81a81345f48f03863

          • C:\Users\Admin\AppData\Local\Temp\urlm10n.dll

            Filesize

            1.6MB

            MD5

            e0e12856ca90be7f5ab8dfc0f0313078

            SHA1

            cc5accf48b8e6c2fd39d1f800229cdbb54305518

            SHA256

            81ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619

            SHA512

            162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6

          • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

            Filesize

            290B

            MD5

            9e15c87b5ec5132a745c077b7fc5c447

            SHA1

            f577e164c932c99c02c148d6f9dbab32dba101af

            SHA256

            e7eb4f8d7d708566409b4a25c9846b07ccb367c8c3301ffa979b14c67c613916

            SHA512

            d0956a694e88f3b9a933bc9f992fd0393a8deee6567eead7a491cbeefbfe8a8864d9bddfe7b1f9a2815099efa646d88b81c335f383bc91ef2b905f84d38e1955

          • memory/1920-145-0x000001B72C9A0000-0x000001B72C9B0000-memory.dmp

            Filesize

            64KB

          • memory/1920-144-0x000001B72C940000-0x000001B72C950000-memory.dmp

            Filesize

            64KB