Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 21:28

General

  • Target

    8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd.exe

  • Size

    93KB

  • MD5

    c6f5d6270d704db347dc7ced3dd11f50

  • SHA1

    3754660ef16306ce4489e4940ab98e654468588a

  • SHA256

    8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd

  • SHA512

    eb329315b41f9a844cd86765244a369721ab7908320d5d90a4e76b00bfd8c310e566a9bb225cb69522f145861635a61cb23bbc263515137acc6db1b8363d2601

  • SSDEEP

    1536:CXyvtA0MYL3OpBlHDxpmzVurN4vjWif+Q5ei6HNdsngRIhs2GDm:Cqt+XFpO0OvZfNTgGhhGa

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\SysWOW64\Rundll32.exe
      C:\Windows\System32\Rundll32.exe "C:\Windows\Fonts\tbvws.fon",MyKILLEntry
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:428
    • C:\Program Files (x86)\Common Files\SysAnti.exe
      "C:\Program Files (x86)\Common Files\SysAnti.exe" -One
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\SysWOW64\Rundll32.exe
        C:\Windows\System32\Rundll32.exe "C:\Windows\Fonts\tdukl.fon",MyKILLEntry
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:4924
      • C:\Windows\SysWOW64\Svchost.exe
        C:\Windows\System32\Svchost.exe
        3⤵
          PID:4824
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 12
            4⤵
            • Program crash
            PID:4768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd.exe" > nul
        2⤵
          PID:4748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4824 -ip 4824
        1⤵
          PID:4692

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\SysAnti.exe

          Filesize

          93KB

          MD5

          c6f5d6270d704db347dc7ced3dd11f50

          SHA1

          3754660ef16306ce4489e4940ab98e654468588a

          SHA256

          8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd

          SHA512

          eb329315b41f9a844cd86765244a369721ab7908320d5d90a4e76b00bfd8c310e566a9bb225cb69522f145861635a61cb23bbc263515137acc6db1b8363d2601

        • C:\Program Files (x86)\Common Files\SysAnti.exe

          Filesize

          93KB

          MD5

          c6f5d6270d704db347dc7ced3dd11f50

          SHA1

          3754660ef16306ce4489e4940ab98e654468588a

          SHA256

          8ba30df49f94005822b3d1264121c1ec3ae879fd27f798e58b3608b701d265dd

          SHA512

          eb329315b41f9a844cd86765244a369721ab7908320d5d90a4e76b00bfd8c310e566a9bb225cb69522f145861635a61cb23bbc263515137acc6db1b8363d2601

        • C:\Windows\Fonts\tbvws.fon

          Filesize

          31KB

          MD5

          e3b07bfb8f477249293bb7f74f81c62e

          SHA1

          cba4bf1be14055ac14b5979e08206fdaaa395294

          SHA256

          a52cce9148b56de137624466dad8067297e2aa995c9e2c272ff248682f6cfa33

          SHA512

          6dd2e1f618729ddc7c65e25d367c43ac9350477c199b56fa68540063b6dad316e0eb9ce67cbd2ece83102d34444095e38280d908065148941e7a788a284876a6

        • C:\Windows\Fonts\tbvws.fon

          Filesize

          31KB

          MD5

          e3b07bfb8f477249293bb7f74f81c62e

          SHA1

          cba4bf1be14055ac14b5979e08206fdaaa395294

          SHA256

          a52cce9148b56de137624466dad8067297e2aa995c9e2c272ff248682f6cfa33

          SHA512

          6dd2e1f618729ddc7c65e25d367c43ac9350477c199b56fa68540063b6dad316e0eb9ce67cbd2ece83102d34444095e38280d908065148941e7a788a284876a6

        • C:\Windows\Fonts\tbvws.fon

          Filesize

          31KB

          MD5

          e3b07bfb8f477249293bb7f74f81c62e

          SHA1

          cba4bf1be14055ac14b5979e08206fdaaa395294

          SHA256

          a52cce9148b56de137624466dad8067297e2aa995c9e2c272ff248682f6cfa33

          SHA512

          6dd2e1f618729ddc7c65e25d367c43ac9350477c199b56fa68540063b6dad316e0eb9ce67cbd2ece83102d34444095e38280d908065148941e7a788a284876a6

        • C:\Windows\Fonts\tdukl.fon

          Filesize

          31KB

          MD5

          e3b07bfb8f477249293bb7f74f81c62e

          SHA1

          cba4bf1be14055ac14b5979e08206fdaaa395294

          SHA256

          a52cce9148b56de137624466dad8067297e2aa995c9e2c272ff248682f6cfa33

          SHA512

          6dd2e1f618729ddc7c65e25d367c43ac9350477c199b56fa68540063b6dad316e0eb9ce67cbd2ece83102d34444095e38280d908065148941e7a788a284876a6

        • C:\Windows\Fonts\tdukl.fon

          Filesize

          31KB

          MD5

          e3b07bfb8f477249293bb7f74f81c62e

          SHA1

          cba4bf1be14055ac14b5979e08206fdaaa395294

          SHA256

          a52cce9148b56de137624466dad8067297e2aa995c9e2c272ff248682f6cfa33

          SHA512

          6dd2e1f618729ddc7c65e25d367c43ac9350477c199b56fa68540063b6dad316e0eb9ce67cbd2ece83102d34444095e38280d908065148941e7a788a284876a6

        • memory/428-136-0x0000000000680000-0x000000000068D000-memory.dmp

          Filesize

          52KB

        • memory/4824-144-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB