Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

9fbc0b8b30...d5.exe

windows7-x64

10

9fbc0b8b30...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe

  • Size

    284KB

  • MD5

    5734d6763c7ac808169dbc753afb02ec

  • SHA1

    2523ac0705b7ddac7ab183473aa7b11ad91ddb2d

  • SHA256

    9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5

  • SHA512

    e5e41ac1f9378c160a59de32b54c8ecfe60870640120f65106f25ad96637a4cbca90f24fde36e3c0bdc449d3e58e0f522c197a9dbb0d18923e527882be66c67a

  • SSDEEP

    6144:PsDIMNVRb9ChrASE6j61ddLb3S2NZuUBxSh4H4:kDIMvRBorARdvSiZU1

Score
10/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe
    "C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe
      "C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe
        "C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
          4⤵
          • Modifies Windows Firewall
          PID:1240
        • C:\Users\Admin\AppData\Roaming\lsass.exe
          /d C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Users\Admin\AppData\Roaming\lsass.exe
            /d C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe
            5⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3368
            • C:\Users\Admin\AppData\Roaming\lsass.exe
              /d C:\Users\Admin\AppData\Local\Temp\9fbc0b8b304dad3901f2205e6f658bb6b418d6ebffd406b113b4f42cb02b05d5.exe
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:3556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    284KB

    MD5

    53b45b6e6b422bf0ba327fa99a84d8ef

    SHA1

    a073ee37d2620c465b9481adad0b0b7670275d9a

    SHA256

    c32db5364171296322aa9f588601c9b34f231768188e4de183d49b85b6d7fb69

    SHA512

    b9938bdd57ff5bec24039078cb659eb1a35d1e3aceff6af9e34f418c928db72c2994348e6a21c288470d3bb3a3b3d1caf799972db0a2be68ed7aa88439be2fd6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    284KB

    MD5

    53b45b6e6b422bf0ba327fa99a84d8ef

    SHA1

    a073ee37d2620c465b9481adad0b0b7670275d9a

    SHA256

    c32db5364171296322aa9f588601c9b34f231768188e4de183d49b85b6d7fb69

    SHA512

    b9938bdd57ff5bec24039078cb659eb1a35d1e3aceff6af9e34f418c928db72c2994348e6a21c288470d3bb3a3b3d1caf799972db0a2be68ed7aa88439be2fd6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    284KB

    MD5

    53b45b6e6b422bf0ba327fa99a84d8ef

    SHA1

    a073ee37d2620c465b9481adad0b0b7670275d9a

    SHA256

    c32db5364171296322aa9f588601c9b34f231768188e4de183d49b85b6d7fb69

    SHA512

    b9938bdd57ff5bec24039078cb659eb1a35d1e3aceff6af9e34f418c928db72c2994348e6a21c288470d3bb3a3b3d1caf799972db0a2be68ed7aa88439be2fd6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    284KB

    MD5

    53b45b6e6b422bf0ba327fa99a84d8ef

    SHA1

    a073ee37d2620c465b9481adad0b0b7670275d9a

    SHA256

    c32db5364171296322aa9f588601c9b34f231768188e4de183d49b85b6d7fb69

    SHA512

    b9938bdd57ff5bec24039078cb659eb1a35d1e3aceff6af9e34f418c928db72c2994348e6a21c288470d3bb3a3b3d1caf799972db0a2be68ed7aa88439be2fd6

    Download Submit

  • memory/2024-145-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2024-140-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2024-152-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3368-163-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3556-166-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3556-167-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4416-143-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4416-135-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download