Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    177s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 00:29 UTC

General

  • Target

    ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe

  • Size

    120KB

  • MD5

    9e2d5116462c18c2a8b0dcb7bd88e9ca

  • SHA1

    74ca2e701aae44413e3706a37ff44ebbe6c0e19d

  • SHA256

    ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50

  • SHA512

    43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3

  • SSDEEP

    1536:WlnMg9bWAdy4nHfUHD28+we3cotuFDcF4DfQKRx50KVT4iKEFXvxKqHs:WlNsAdy4n/UKw4co9FMfQeN/Xey

Score
9/10

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Discovers systems in the same network 1 TTPs 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
    "C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\ProgramData\Application Data\inetinfo.exe
      "C:\ProgramData\Application Data\inetinfo.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\info.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • Gathers system information
          PID:4136
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
              PID:1864
          • C:\Windows\SysWOW64\net.exe
            net localgroup administrators
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4500
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators
              5⤵
                PID:4224
            • C:\Windows\SysWOW64\net.exe
              net start
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4816
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start
                5⤵
                  PID:4600
              • C:\Windows\SysWOW64\net.exe
                net view
                4⤵
                • Discovers systems in the same network
                PID:3620
              • C:\Windows\SysWOW64\net.exe
                net view /domain
                4⤵
                • Discovers systems in the same network
                PID:2984
              • C:\Windows\SysWOW64\net.exe
                net user /domain
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4280
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 user /domain
                  5⤵
                    PID:4248
                • C:\Windows\SysWOW64\NETSTAT.EXE
                  netstat -ano
                  4⤵
                  • Gathers network information
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2868
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  4⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3652
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  4⤵
                  • Gathers network information
                  PID:4852
                • C:\Windows\SysWOW64\ARP.EXE
                  arp -a
                  4⤵
                    PID:4952

            Network

              No results found
            • 8.248.7.254:80
              322 B
              7
            • 8.248.7.254:80
              322 B
              7
            • 40.126.31.71:443
              260 B
              5
            • 40.126.31.71:443
              260 B
              5
            • 20.190.159.4:443
              260 B
              5
            • 40.126.31.71:443
              260 B
              5
            • 20.190.159.73:443
              260 B
              5
            No results found

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Application Data\inetinfo.exe

              Filesize

              120KB

              MD5

              9e2d5116462c18c2a8b0dcb7bd88e9ca

              SHA1

              74ca2e701aae44413e3706a37ff44ebbe6c0e19d

              SHA256

              ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50

              SHA512

              43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3

            • C:\ProgramData\inetinfo.exe

              Filesize

              120KB

              MD5

              9e2d5116462c18c2a8b0dcb7bd88e9ca

              SHA1

              74ca2e701aae44413e3706a37ff44ebbe6c0e19d

              SHA256

              ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50

              SHA512

              43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3

            • C:\Users\Admin\AppData\Local\Temp\info.bat

              Filesize

              581B

              MD5

              52b5878fbe8ecfafe96177c8001328b7

              SHA1

              3bc5f0fe87c76ed056e940dfcfaa176397527d94

              SHA256

              2ce2bccf6b09a3b49aafe4306b378fe0f4dea8f1104c1a0dfc060af5945f37db

              SHA512

              d6284b5b081887a2773cd4d459c225d9952b4f28551ea98f2463ef70009443bc75138fb6e5a871a14ab7935102e57b3cbc8310cafc1d97f530ed9a8ac6c4dd5c

            • memory/2244-136-0x0000000000400000-0x000000000043B000-memory.dmp

              Filesize

              236KB

            • memory/2244-154-0x0000000000400000-0x000000000043B000-memory.dmp

              Filesize

              236KB

            • memory/3012-132-0x0000000000400000-0x000000000043B000-memory.dmp

              Filesize

              236KB

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.