Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    107s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 22:18

General

  • Target

    0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe

  • Size

    51KB

  • MD5

    c17e82db572e189e68bb78c6b768ef01

  • SHA1

    f34ba7ad61d32c38a8c8f984b045e7fddf87880b

  • SHA256

    0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa

  • SHA512

    a733cdec21576fae5019f8568a3acfb5f3a98df0c1002103c5bdc601151f77228f93a4e642b38afb8736d968ade1b6f5392006d459cb42ba861af8cef361ac94

  • SSDEEP

    1536:1B77777J77c77c77c71S1XeilJIr96B77777J77c77c77c7QwurRlKuXp0r:1B77777J77c77c77c71KblJIr96B777k

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Kills process with taskkill 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe
    "C:\Users\Admin\AppData\Local\Temp\0306cc4aab8c7c75f193b1e6f2305690669a9c9e8c63fd10180d2d5c0f8b58fa.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:948
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1276
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:840
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1328
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1952-54-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB