Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

cdda4da404...48.exe

windows7-x64

8

cdda4da404...48.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    161s
  • max time network
    205s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48.exe

  • Size

    77KB

  • MD5

    45cf86002f7bb2454f28d3bf36ca3533

  • SHA1

    0cc550b72a376f8da98014edbe4a2ab054eb410d

  • SHA256

    cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48

  • SHA512

    6b3674896d3e7b30c49e532a98a7ad06513b5058d7673ec3475001668aebd4778237fdc3031cc7b7770b641c06276a00c5d3ae88c9800894ae463ad38297ebd2

  • SSDEEP

    1536:+zdFUBIPV8Jq126Pc1N56d65UCJGjhb3rI2FKrasqXR0LSt3GkE:+RBuJLN56A5/cjFQaBXR+0WH

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 20 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48.exe
    "C:\Users\Admin\AppData\Local\Temp\cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\jnr.dll Execute
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\SysWOW64\sc.exe
        sc stop 360rp
        3⤵
        • Launches sc.exe
        PID:1168
      • C:\Windows\SysWOW64\sc.exe
        sc delete 360rp
        3⤵
        • Launches sc.exe
        PID:268
      • C:\Windows\SysWOW64\sc.exe
        sc stop RsRavMon
        3⤵
        • Launches sc.exe
        PID:676
      • C:\Windows\SysWOW64\sc.exe
        sc delete RsRavMon
        3⤵
        • Launches sc.exe
        PID:592
      • C:\Windows\SysWOW64\sc.exe
        sc stop McNASvc
        3⤵
        • Launches sc.exe
        PID:1764
      • C:\Windows\SysWOW64\sc.exe
        sc delete McNASvc
        3⤵
        • Launches sc.exe
        PID:1824
      • C:\Windows\SysWOW64\sc.exe
        sc stop MpfService
        3⤵
        • Launches sc.exe
        PID:284
      • C:\Windows\SysWOW64\sc.exe
        sc delete MpfService
        3⤵
        • Launches sc.exe
        PID:1500
      • C:\Windows\SysWOW64\sc.exe
        sc stop McProxy
        3⤵
        • Launches sc.exe
        PID:1508
      • C:\Windows\SysWOW64\sc.exe
        sc delete McProxy
        3⤵
        • Launches sc.exe
        PID:1680
      • C:\Windows\SysWOW64\sc.exe
        sc stop McShield
        3⤵
        • Launches sc.exe
        PID:1652
      • C:\Windows\SysWOW64\sc.exe
        sc delete McShield
        3⤵
        • Launches sc.exe
        PID:1692
      • C:\Windows\SysWOW64\sc.exe
        sc stop McODS
        3⤵
        • Launches sc.exe
        PID:1632
      • C:\Windows\SysWOW64\sc.exe
        sc delete McODS
        3⤵
        • Launches sc.exe
        PID:1524
      • C:\Windows\SysWOW64\sc.exe
        sc stop mcmscsvc
        3⤵
        • Launches sc.exe
        PID:1936
      • C:\Windows\SysWOW64\sc.exe
        sc delete mcmscsvc
        3⤵
        • Launches sc.exe
        PID:1732
      • C:\Windows\SysWOW64\sc.exe
        sc stop McSysmon
        3⤵
        • Launches sc.exe
        PID:1352
      • C:\Windows\SysWOW64\sc.exe
        sc delete McSysmon
        3⤵
        • Launches sc.exe
        PID:1868
      • C:\Windows\SysWOW64\sc.exe
        sc stop ekrn
        3⤵
        • Launches sc.exe
        PID:1192
      • C:\Windows\SysWOW64\sc.exe
        sc delete ekrn
        3⤵
        • Launches sc.exe
        PID:1748
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\new.dll Execute
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Driver.sys
    Filesize

    11KB

    MD5

    ad6d3b758b0af522d1df51c83ebc9c2b

    SHA1

    64b50b3ead339767f9a58922bf092de14c87f8eb

    SHA256

    5e055382c54af491b127340cb3346858b6acc1d3b58be4c93c74b638fe44e092

    SHA512

    3d9d1c56606687b59c12fbe65cd69f785a8103691f4bd5fec15139fb9e6ef250987c24c46d43556cf88e8c3e3f3522d1039ce6ae7c99203cbe69baa1fc84c9ed

    Download Submit

  • C:\Windows\SysWOW64\jnr.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • C:\Windows\SysWOW64\new.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • C:\pci.sys
    Filesize

    11KB

    MD5

    ad6d3b758b0af522d1df51c83ebc9c2b

    SHA1

    64b50b3ead339767f9a58922bf092de14c87f8eb

    SHA256

    5e055382c54af491b127340cb3346858b6acc1d3b58be4c93c74b638fe44e092

    SHA512

    3d9d1c56606687b59c12fbe65cd69f785a8103691f4bd5fec15139fb9e6ef250987c24c46d43556cf88e8c3e3f3522d1039ce6ae7c99203cbe69baa1fc84c9ed

    Download Submit

  • \Users\Admin\AppData\Local\Temp\B04D.tmp
    Filesize

    1.7MB

    MD5

    b5eb5bd3066959611e1f7a80fd6cc172

    SHA1

    6fb1532059212c840737b3f923a9c0b152c0887a

    SHA256

    1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

    SHA512

    6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

    Download Submit

  • \Windows\SysWOW64\jnr.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • \Windows\SysWOW64\jnr.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • \Windows\SysWOW64\jnr.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • \Windows\SysWOW64\jnr.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • \Windows\SysWOW64\new.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • \Windows\SysWOW64\new.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • \Windows\SysWOW64\new.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • \Windows\SysWOW64\new.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • memory/556-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

    Filesize

    8KB

    Download