Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    176s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 09:02

General

  • Target

    e42f6dd08dffb9cc32ec8392b614592a5e056bb7a9e81f4dfe5758b12dcbf7aa.exe

  • Size

    130KB

  • MD5

    5bb16aa83e702f599f521c89bbfc6706

  • SHA1

    2a1527ccd4d4a667fcebd1a948bd6a31d4fb4629

  • SHA256

    e42f6dd08dffb9cc32ec8392b614592a5e056bb7a9e81f4dfe5758b12dcbf7aa

  • SHA512

    584dd5bc163b54661a2141b2db3312c1476b7f15babe3478abd7e18e269dc83dce7df19f4c515e91d12c0d42596579eb11f54ac40df98535158d6e5ef479eceb

  • SSDEEP

    3072:3dK5fyVxt6jznO7P/3Qimke50bTc26K49h28uS:3s1OP/3Qimk/fcNvh28f

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Kills process with taskkill 3 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e42f6dd08dffb9cc32ec8392b614592a5e056bb7a9e81f4dfe5758b12dcbf7aa.exe
    "C:\Users\Admin\AppData\Local\Temp\e42f6dd08dffb9cc32ec8392b614592a5e056bb7a9e81f4dfe5758b12dcbf7aa.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im iResearchiClick.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
    • C:\Users\Admin\AppData\Local\Temp\e42f6dd08dffb9cc32ec8392b614592a5e056bb7a9e81f4dfe5758b12dcbf7aa.exe
      C:\Users\Admin\AppData\Local\Temp\e42f6dd08dffb9cc32ec8392b614592a5e056bb7a9e81f4dfe5758b12dcbf7aa.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1220
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im internat.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5024
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im internat.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\1.reg
      2⤵
      • Adds Run key to start application
      • Runs .reg file with regedit
      PID:1568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1.reg

    Filesize

    171B

    MD5

    371f0901bdf322834c33882bb4948bdc

    SHA1

    8aa342e78b3ba40569fec467f92e22a3b612c9e9

    SHA256

    4ad2483a1312d5ec44ce7aa920815a7debd41a4c6d5347dbc4999cb580220b75

    SHA512

    135f3d74cd1df0bffde238901e9e9ffa55ae039db66f5beae2977acddf79ef86b217324b741533b6e1860d480917060412bf15b6b1f3038c2229c282855ed96e