Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 00:29 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
Resource
win10v2004-20221111-en
General
-
Target
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
-
Size
120KB
-
MD5
9e2d5116462c18c2a8b0dcb7bd88e9ca
-
SHA1
74ca2e701aae44413e3706a37ff44ebbe6c0e19d
-
SHA256
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
-
SHA512
43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
-
SSDEEP
1536:WlnMg9bWAdy4nHfUHD28+we3cotuFDcF4DfQKRx50KVT4iKEFXvxKqHs:WlNsAdy4n/UKw4co9FMfQeN/Xey
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 2244 inetinfo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inet32 = "C:\\ProgramData\\Application Data\\inetinfo.exe" ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 3620 net.exe 2984 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3652 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2868 NETSTAT.EXE 4852 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4136 systeminfo.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2868 NETSTAT.EXE Token: SeDebugPrivilege 3652 tasklist.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2244 3012 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 83 PID 3012 wrote to memory of 2244 3012 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 83 PID 3012 wrote to memory of 2244 3012 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 83 PID 2244 wrote to memory of 1768 2244 inetinfo.exe 85 PID 2244 wrote to memory of 1768 2244 inetinfo.exe 85 PID 2244 wrote to memory of 1768 2244 inetinfo.exe 85 PID 1768 wrote to memory of 4136 1768 cmd.exe 87 PID 1768 wrote to memory of 4136 1768 cmd.exe 87 PID 1768 wrote to memory of 4136 1768 cmd.exe 87 PID 1768 wrote to memory of 1488 1768 cmd.exe 89 PID 1768 wrote to memory of 1488 1768 cmd.exe 89 PID 1768 wrote to memory of 1488 1768 cmd.exe 89 PID 1488 wrote to memory of 1864 1488 net.exe 90 PID 1488 wrote to memory of 1864 1488 net.exe 90 PID 1488 wrote to memory of 1864 1488 net.exe 90 PID 1768 wrote to memory of 4500 1768 cmd.exe 91 PID 1768 wrote to memory of 4500 1768 cmd.exe 91 PID 1768 wrote to memory of 4500 1768 cmd.exe 91 PID 4500 wrote to memory of 4224 4500 net.exe 92 PID 4500 wrote to memory of 4224 4500 net.exe 92 PID 4500 wrote to memory of 4224 4500 net.exe 92 PID 1768 wrote to memory of 4816 1768 cmd.exe 93 PID 1768 wrote to memory of 4816 1768 cmd.exe 93 PID 1768 wrote to memory of 4816 1768 cmd.exe 93 PID 4816 wrote to memory of 4600 4816 net.exe 94 PID 4816 wrote to memory of 4600 4816 net.exe 94 PID 4816 wrote to memory of 4600 4816 net.exe 94 PID 1768 wrote to memory of 3620 1768 cmd.exe 95 PID 1768 wrote to memory of 3620 1768 cmd.exe 95 PID 1768 wrote to memory of 3620 1768 cmd.exe 95 PID 1768 wrote to memory of 2984 1768 cmd.exe 96 PID 1768 wrote to memory of 2984 1768 cmd.exe 96 PID 1768 wrote to memory of 2984 1768 cmd.exe 96 PID 1768 wrote to memory of 4280 1768 cmd.exe 97 PID 1768 wrote to memory of 4280 1768 cmd.exe 97 PID 1768 wrote to memory of 4280 1768 cmd.exe 97 PID 4280 wrote to memory of 4248 4280 net.exe 98 PID 4280 wrote to memory of 4248 4280 net.exe 98 PID 4280 wrote to memory of 4248 4280 net.exe 98 PID 1768 wrote to memory of 2868 1768 cmd.exe 99 PID 1768 wrote to memory of 2868 1768 cmd.exe 99 PID 1768 wrote to memory of 2868 1768 cmd.exe 99 PID 1768 wrote to memory of 3652 1768 cmd.exe 100 PID 1768 wrote to memory of 3652 1768 cmd.exe 100 PID 1768 wrote to memory of 3652 1768 cmd.exe 100 PID 1768 wrote to memory of 4852 1768 cmd.exe 102 PID 1768 wrote to memory of 4852 1768 cmd.exe 102 PID 1768 wrote to memory of 4852 1768 cmd.exe 102 PID 1768 wrote to memory of 4952 1768 cmd.exe 103 PID 1768 wrote to memory of 4952 1768 cmd.exe 103 PID 1768 wrote to memory of 4952 1768 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe"C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\ProgramData\Application Data\inetinfo.exe"C:\ProgramData\Application Data\inetinfo.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\info.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4136
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵PID:1864
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:4224
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵PID:4600
-
-
-
C:\Windows\SysWOW64\net.exenet view4⤵
- Discovers systems in the same network
PID:3620
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- Discovers systems in the same network
PID:2984
-
-
C:\Windows\SysWOW64\net.exenet user /domain4⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /domain5⤵PID:4248
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:4852
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵PID:4952
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD59e2d5116462c18c2a8b0dcb7bd88e9ca
SHA174ca2e701aae44413e3706a37ff44ebbe6c0e19d
SHA256ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
SHA51243da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
-
Filesize
120KB
MD59e2d5116462c18c2a8b0dcb7bd88e9ca
SHA174ca2e701aae44413e3706a37ff44ebbe6c0e19d
SHA256ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
SHA51243da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
-
Filesize
581B
MD552b5878fbe8ecfafe96177c8001328b7
SHA13bc5f0fe87c76ed056e940dfcfaa176397527d94
SHA2562ce2bccf6b09a3b49aafe4306b378fe0f4dea8f1104c1a0dfc060af5945f37db
SHA512d6284b5b081887a2773cd4d459c225d9952b4f28551ea98f2463ef70009443bc75138fb6e5a871a14ab7935102e57b3cbc8310cafc1d97f530ed9a8ac6c4dd5c