Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 10:47
Static task
static1
Behavioral task
behavioral1
Sample
f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe
Resource
win10v2004-20220901-en
General
-
Target
f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe
-
Size
378KB
-
MD5
84024db2745e8bb754ce8ff3a99b53d8
-
SHA1
71ef6e78338dfd3a0b9bf4b15fd7f77ee0241009
-
SHA256
f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19
-
SHA512
da001c26b21748ed4fd5c319336526137451cac5927a6348ef616b5409413696a9a2fac3aeb3b34f180043312fb27d42971e16fa0b70c3c0d0a9a1d0907481c9
-
SSDEEP
6144:ceNU1uIJW3hVEckfSOBlWWRmGwL4QQgKKX8x7/2xWqWma2XDzHPt281:PyJmhVrpOjWtGNgDUiWqWNKDrt2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3528 Sysremser.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E9C5D3-EBFF-11CD-B6FD-00AA00B4E22A} f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E9C5D3-EBFF-11CD-B6FD-00AA00B4E22A}\StubPath = "C:\\Program Files\\Sysremser.exe" f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3528 set thread context of 2080 3528 Sysremser.exe 82 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Sysremser.exe f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe File created C:\Program Files\Sysremser.exe f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe Token: SeDebugPrivilege 3528 Sysremser.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4980 wrote to memory of 3528 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe 81 PID 4980 wrote to memory of 3528 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe 81 PID 4980 wrote to memory of 3528 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe 81 PID 3528 wrote to memory of 2080 3528 Sysremser.exe 82 PID 3528 wrote to memory of 2080 3528 Sysremser.exe 82 PID 3528 wrote to memory of 2080 3528 Sysremser.exe 82 PID 4980 wrote to memory of 3360 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe 83 PID 4980 wrote to memory of 3360 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe 83 PID 4980 wrote to memory of 3360 4980 f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe"C:\Users\Admin\AppData\Local\Temp\f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Program Files\Sysremser.exe"C:\Program Files\Sysremser.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies registry class
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19.exe"2⤵PID:3360
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD584024db2745e8bb754ce8ff3a99b53d8
SHA171ef6e78338dfd3a0b9bf4b15fd7f77ee0241009
SHA256f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19
SHA512da001c26b21748ed4fd5c319336526137451cac5927a6348ef616b5409413696a9a2fac3aeb3b34f180043312fb27d42971e16fa0b70c3c0d0a9a1d0907481c9
-
Filesize
378KB
MD584024db2745e8bb754ce8ff3a99b53d8
SHA171ef6e78338dfd3a0b9bf4b15fd7f77ee0241009
SHA256f9ffae051ea3b3adbc1ea3dc7904590cb0d60e17225dfa544ad5cdf1b8e64b19
SHA512da001c26b21748ed4fd5c319336526137451cac5927a6348ef616b5409413696a9a2fac3aeb3b34f180043312fb27d42971e16fa0b70c3c0d0a9a1d0907481c9