Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 22:43

General

  • Target

    76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe

  • Size

    60KB

  • MD5

    a0068ae7ff0080ef15e60e1d213c53b1

  • SHA1

    1685fd8007c01c2efc9f273f092cda13141fb0eb

  • SHA256

    76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e

  • SHA512

    f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb

  • SSDEEP

    768:ukpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvORBX80X/s:3kQJcqwmIfj+ECJG/kvO40vs

Score
9/10

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
    "C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
            PID:3976
          • C:\Windows\SysWOW64\chcp.com
            chcp
            4⤵
              PID:1020
            • C:\Windows\SysWOW64\net.exe
              net user
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4856
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user
                5⤵
                  PID:4120
              • C:\Windows\SysWOW64\net.exe
                net localgroup administrators
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3908
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 localgroup administrators
                  5⤵
                    PID:4708
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  4⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2228
                • C:\Windows\SysWOW64\systeminfo.exe
                  systeminfo
                  4⤵
                  • Gathers system information
                  PID:3704

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Application Data\wmimgmt.exe

            Filesize

            60KB

            MD5

            a0068ae7ff0080ef15e60e1d213c53b1

            SHA1

            1685fd8007c01c2efc9f273f092cda13141fb0eb

            SHA256

            76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e

            SHA512

            f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb

          • C:\ProgramData\wmimgmt.exe

            Filesize

            60KB

            MD5

            a0068ae7ff0080ef15e60e1d213c53b1

            SHA1

            1685fd8007c01c2efc9f273f092cda13141fb0eb

            SHA256

            76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e

            SHA512

            f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb

          • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

            Filesize

            49B

            MD5

            2fa848e6957ded59d3105baff2173502

            SHA1

            69ac17fab606ccaf02eab35dcee4ef0d8030f572

            SHA256

            50ddb97831bd430b8433f5b5e823f1be7bf84a3fdbc10571cf609d3456007bd5

            SHA512

            6c58cc68d1bdf0334f438719ede384267fffd26df94996d7762dc12d3dc952282afc07d244eada6f3459a1ac75b61588125b05d4a2790884dd97b6a72db2450e

          • C:\Users\Admin\AppData\Local\Temp\ghi.bat

            Filesize

            4KB

            MD5

            b91bc08162fbc3445c5424b77183b807

            SHA1

            52b2a60db40cdcc655648a65210ed26219c033e1

            SHA256

            7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

            SHA512

            2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

          • memory/1528-133-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/1528-132-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/1528-137-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/3556-138-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB