Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe
Resource
win10v2004-20221111-en
General
-
Target
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe
-
Size
100KB
-
MD5
0a211a2cb79a221b59cd53fa159350d2
-
SHA1
9b34a62a248514dc64c1d91a0edb52fe29028a86
-
SHA256
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
-
SHA512
805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0
-
SSDEEP
1536:25zsDNdr46AqK/b7xMdIi8stfIEtJxPKWgd8kNycHWf:+67K/b1Qf86xPk8kscHWf
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\tcptsys.exe" 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe -
Executes dropped EXE 2 IoCs
pid Process 1780 tcptsys.exe 3724 tcptsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\tcptsys.exe" 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3160 set thread context of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 1780 set thread context of 3724 1780 tcptsys.exe 84 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\tcptsys.exe 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe File opened for modification C:\Windows\tcptsys.exe 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe File created C:\Windows\logfile32.txt tcptsys.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 3724 tcptsys.exe 3724 tcptsys.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe Token: SeDebugPrivilege 3724 tcptsys.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 1780 tcptsys.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 3160 wrote to memory of 232 3160 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 82 PID 232 wrote to memory of 1780 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 83 PID 232 wrote to memory of 1780 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 83 PID 232 wrote to memory of 1780 232 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 83 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84 PID 1780 wrote to memory of 3724 1780 tcptsys.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\tcptsys.exe"C:\Windows\tcptsys.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\tcptsys.exe"C:\Windows\tcptsys.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD50a211a2cb79a221b59cd53fa159350d2
SHA19b34a62a248514dc64c1d91a0edb52fe29028a86
SHA2563361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
SHA512805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0
-
Filesize
100KB
MD50a211a2cb79a221b59cd53fa159350d2
SHA19b34a62a248514dc64c1d91a0edb52fe29028a86
SHA2563361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
SHA512805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0
-
Filesize
100KB
MD50a211a2cb79a221b59cd53fa159350d2
SHA19b34a62a248514dc64c1d91a0edb52fe29028a86
SHA2563361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
SHA512805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0