Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

cdda4da404...48.exe

windows7-x64

8

cdda4da404...48.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48.exe

  • Size

    77KB

  • MD5

    45cf86002f7bb2454f28d3bf36ca3533

  • SHA1

    0cc550b72a376f8da98014edbe4a2ab054eb410d

  • SHA256

    cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48

  • SHA512

    6b3674896d3e7b30c49e532a98a7ad06513b5058d7673ec3475001668aebd4778237fdc3031cc7b7770b641c06276a00c5d3ae88c9800894ae463ad38297ebd2

  • SSDEEP

    1536:+zdFUBIPV8Jq126Pc1N56d65UCJGjhb3rI2FKrasqXR0LSt3GkE:+RBuJLN56A5/cjFQaBXR+0WH

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 20 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48.exe
    "C:\Users\Admin\AppData\Local\Temp\cdda4da404352e01a464704c195aa6ef42a876b6e38cc66f63d3d94285c0cc48.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\heha.dll Execute
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Windows\SysWOW64\sc.exe
        sc stop 360rp
        3⤵
        • Launches sc.exe
        PID:4664
      • C:\Windows\SysWOW64\sc.exe
        sc delete 360rp
        3⤵
        • Launches sc.exe
        PID:3092
      • C:\Windows\SysWOW64\sc.exe
        sc stop RsRavMon
        3⤵
        • Launches sc.exe
        PID:3936
      • C:\Windows\SysWOW64\sc.exe
        sc delete RsRavMon
        3⤵
        • Launches sc.exe
        PID:4176
      • C:\Windows\SysWOW64\sc.exe
        sc stop McNASvc
        3⤵
        • Launches sc.exe
        PID:4924
      • C:\Windows\SysWOW64\sc.exe
        sc delete McNASvc
        3⤵
        • Launches sc.exe
        PID:2200
      • C:\Windows\SysWOW64\sc.exe
        sc stop MpfService
        3⤵
        • Launches sc.exe
        PID:2316
      • C:\Windows\SysWOW64\sc.exe
        sc delete MpfService
        3⤵
        • Launches sc.exe
        PID:3508
      • C:\Windows\SysWOW64\sc.exe
        sc stop McProxy
        3⤵
        • Launches sc.exe
        PID:4080
      • C:\Windows\SysWOW64\sc.exe
        sc delete McProxy
        3⤵
        • Launches sc.exe
        PID:2568
      • C:\Windows\SysWOW64\sc.exe
        sc delete McShield
        3⤵
        • Launches sc.exe
        PID:1060
      • C:\Windows\SysWOW64\sc.exe
        sc stop McShield
        3⤵
        • Launches sc.exe
        PID:3940
      • C:\Windows\SysWOW64\sc.exe
        sc stop McODS
        3⤵
        • Launches sc.exe
        PID:224
      • C:\Windows\SysWOW64\sc.exe
        sc delete McODS
        3⤵
        • Launches sc.exe
        PID:2684
      • C:\Windows\SysWOW64\sc.exe
        sc stop mcmscsvc
        3⤵
        • Launches sc.exe
        PID:3644
      • C:\Windows\SysWOW64\sc.exe
        sc stop McSysmon
        3⤵
        • Launches sc.exe
        PID:3360
      • C:\Windows\SysWOW64\sc.exe
        sc delete mcmscsvc
        3⤵
        • Launches sc.exe
        PID:5084
      • C:\Windows\SysWOW64\sc.exe
        sc delete McSysmon
        3⤵
        • Launches sc.exe
        PID:1056
      • C:\Windows\SysWOW64\sc.exe
        sc stop ekrn
        3⤵
        • Launches sc.exe
        PID:3484
      • C:\Windows\SysWOW64\sc.exe
        sc delete ekrn
        3⤵
        • Launches sc.exe
        PID:5044
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\shia.dll Execute
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      PID:4708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Driver.sys
    Filesize

    11KB

    MD5

    ad6d3b758b0af522d1df51c83ebc9c2b

    SHA1

    64b50b3ead339767f9a58922bf092de14c87f8eb

    SHA256

    5e055382c54af491b127340cb3346858b6acc1d3b58be4c93c74b638fe44e092

    SHA512

    3d9d1c56606687b59c12fbe65cd69f785a8103691f4bd5fec15139fb9e6ef250987c24c46d43556cf88e8c3e3f3522d1039ce6ae7c99203cbe69baa1fc84c9ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CD28.tmp
    Filesize

    4.3MB

    MD5

    6c7cdd25c2cb0073306eb22aebfc663f

    SHA1

    a1eba8ab49272b9852fe6a543677e8af36271248

    SHA256

    58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

    SHA512

    17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

    Download Submit

  • C:\Windows\SysWOW64\heha.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • C:\Windows\SysWOW64\heha.dll
    Filesize

    12KB

    MD5

    7f934338e10581d1b18a196474ac51e1

    SHA1

    4b28911a6ae3ef4e1502a184dd7044633ac7da4a

    SHA256

    a9596721b74f4498b84feccbe92eb76194d48429f8fc4cef438a123a66a249bf

    SHA512

    ab8fc0492ffdd13f30f83d6814e2cb43c56e812d9b978a4f47a6a8af9e02f57d4f43a72819e7181d9a709c86cfc63cb957de06f9d9f1eba730ee3842a872fe0d

    Download Submit

  • C:\Windows\SysWOW64\shia.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • C:\Windows\SysWOW64\shia.dll
    Filesize

    8KB

    MD5

    8c96dd6d4bbb740396025dbad40d5412

    SHA1

    2cf230b0a57707a5d05ed61f5a0b1efaacd6ef94

    SHA256

    e805e5a4ca410a50388dafae97fa7a67dff55bd7435e29480252c8542dd01051

    SHA512

    5585a305e56da595b02cde74cd2a41ada8d95468b4b28d80d97b58ce8465320fad5c09636585e37fe5afe036f7eee811fd778a3d320eabdaf2b0df69371b5fcf

    Download Submit

  • C:\pci.sys
    Filesize

    11KB

    MD5

    ad6d3b758b0af522d1df51c83ebc9c2b

    SHA1

    64b50b3ead339767f9a58922bf092de14c87f8eb

    SHA256

    5e055382c54af491b127340cb3346858b6acc1d3b58be4c93c74b638fe44e092

    SHA512

    3d9d1c56606687b59c12fbe65cd69f785a8103691f4bd5fec15139fb9e6ef250987c24c46d43556cf88e8c3e3f3522d1039ce6ae7c99203cbe69baa1fc84c9ed

    Download Submit