Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe
Resource
win7-20220812-en
General
-
Target
aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe
-
Size
367KB
-
MD5
57ee1776dcfc28eb2caf2161abf28222
-
SHA1
f7f5b21bd964af0c7abd2b58cc67ab145958cd73
-
SHA256
aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1
-
SHA512
e5dedc86c8359959a640445402891c44169757979c4b2675c5a4fdbb8eb4691e326ead1dbc733964c515a730f508768e9dfdab69a7e86ea8f09adad7616f952e
-
SSDEEP
6144:fu63+CQEg2GU/D6c27r2iCw/uQwDlUgFp9g+nTQw/pokXsl0U69do0HFY02Kt7Je:G65QD2+c2Zf/VClUgFXg+Tz/pSSUod9S
Malware Config
Extracted
cybergate
2.6
fud
silent-hilll.no-ip.biz:81
silent-hilll.no-ip.biz:2000
silent-hilll.no-ip.biz:2010
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
msn.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123
-
regkey_hkcu
win32
-
regkey_hklm
win32
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\msn.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\msn.exe" vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 3984 msn.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\msn.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\msn.exe" explorer.exe -
resource yara_rule behavioral2/memory/4516-133-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4516-135-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4516-136-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4516-138-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4516-140-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4516-145-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2368-148-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2368-151-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4516-153-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4516-158-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3224-161-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/4516-162-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3224-163-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3224-166-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startup75 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\myserver.exe" aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\msn.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\msn.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\msn.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\msn.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\msn.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4248 set thread context of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4516 vbc.exe 4516 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3224 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3224 vbc.exe Token: SeDebugPrivilege 3224 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4516 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4248 wrote to memory of 4516 4248 aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe 79 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33 PID 4516 wrote to memory of 600 4516 vbc.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:600
-
C:\Users\Admin\AppData\Local\Temp\aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe"C:\Users\Admin\AppData\Local\Temp\aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:2368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1360
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3224 -
C:\Windows\SysWOW64\install\msn.exe"C:\Windows\system32\install\msn.exe"5⤵
- Executes dropped EXE
PID:3984
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD53b29364d24fcfd28014c061fc647dc45
SHA1cb8af848f73d0ddd7905676742d9a16bb3728a3a
SHA25608531490f8ea8d98b4537a5d3f0254fe924c9e865309b82eba2164fab2c3e205
SHA5120b1bf205e26c4e7400aa96c9b877e088a7c54d770f834f9892805a1c536efe3f469d2605c6f6621f04928f28c52765fd55e3df7095d0eb2bfccb3045f9bdfc5d
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34