Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2022, 02:16 UTC

General

  • Target

    c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe

  • Size

    332KB

  • MD5

    5482037ed4aa90a79efafd52f1a43fff

  • SHA1

    f41242a8494a0f678b826096fafa1c4c431b69b8

  • SHA256

    c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9

  • SHA512

    77a3cbe7b18594dc59adaf9f2dbd439440d2deaf0cf553334690168f3213174cea0042710581224ec7414300366242e45e67f52bc167dd77c1bb3571da4191e1

  • SSDEEP

    3072:Gaxvos7J0wbx24Pu++slAhKAFRn1gs4vJi+DhVrfQLDMVKuVbewXRP5/tz:GahlKL+Ah3FV1bcJzDHfeDnuVbewl5/1

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 8 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe
    "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:1164
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:1700
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsass.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsass.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsass.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsass.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • Modifies registry key
        PID:1032

Network

  • flag-us
    DNS
    2945409702.no-ip.info
    c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe
    Remote address:
    8.8.8.8:53
    Request
    2945409702.no-ip.info
    IN A
    Response
No results found
  • 8.8.8.8:53
    2945409702.no-ip.info
    dns
    c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe
    67 B
    127 B
    1
    1

    DNS Request

    2945409702.no-ip.info

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/768-57-0x0000000076871000-0x0000000076873000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.