Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
6s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
Resource
win10v2004-20220812-en
General
-
Target
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe
-
Size
875KB
-
MD5
0baf9124d7e983a20ee54e07b5e749d0
-
SHA1
6f7b68a0899bffe7c4fc0da6a1f46027341a4c41
-
SHA256
a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd
-
SHA512
4010ae23efaef45bf9527cb2eaf4ab71293da13dcac4d7f417b4098ce338ca063af0e82f3f2225e87bb150ca9009f8c9bfed3c21585c567ade669e153df6ae57
-
SSDEEP
12288:FLozg61ikvvA3+Emo7ker5I/DbtSILfXOB3k3V/UnEIOKLS4QLDg:ug6osvA3L7ky5I34ca3UNyTOKLS4Q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3592 win32.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/files/0x000400000001e64b-134.dat agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1340 wrote to memory of 3592 1340 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 25 PID 1340 wrote to memory of 3592 1340 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 25 PID 1340 wrote to memory of 3592 1340 a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe"C:\Users\Admin\AppData\Local\Temp\a1a84928d017b4e1cb529f0f52c67ec9ef524e65792cc8a2108f1844e6c067bd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win32.exe2⤵
- Executes dropped EXE
PID:3592
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5f798975aec12da698c0f3f65c596da3b
SHA118fe04e44cfc06342c7f5012ca66cc01e9b07935
SHA256b0d454572515ba89bfe098006901a72c0fadfb2e49833e7bfc77aea337ee3bbd
SHA512e081aa57857b634641c4c31a07f53ddb93dbd96d5ffd44039e8be40280d82269ce31ffae9ab131fe3afa46273e0d378245461440e4543858f52aaae9023f62d0
-
Filesize
37KB
MD5753407d444e5c25ac963d7a6886dd676
SHA13631410e174fc9660c757a74204783ad33a63111
SHA2568a85c61d47efe9b22784c377d92f57bfda0c4ed8c515fbb7633e26463b7a9422
SHA51238299af93d8f910519719ae95c183b666a1ba9b67a29ebbd50f434d47d78676560fc36f62736211a2058618741b0129433b51c5ab243ed60df52abfc54fc1ec7