Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2022, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
Scan20221216192254.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan20221216192254.exe
Resource
win10v2004-20220812-en
General
-
Target
Scan20221216192254.exe
-
Size
1.4MB
-
MD5
876f5f878fc3f716cd877443ee68f7e3
-
SHA1
35a223eadf77e713de0f6a7951fdb32ec5a48973
-
SHA256
dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
-
SHA512
3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83
-
SSDEEP
12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Msacos\\Msacs.exe," reg.exe -
Executes dropped EXE 1 IoCs
pid Process 772 Msacs.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1752 PING.EXE 1008 PING.EXE 2088 PING.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 944 Scan20221216192254.exe 772 Msacs.exe 772 Msacs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 944 Scan20221216192254.exe Token: SeDebugPrivilege 772 Msacs.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 944 wrote to memory of 1580 944 Scan20221216192254.exe 80 PID 944 wrote to memory of 1580 944 Scan20221216192254.exe 80 PID 944 wrote to memory of 1580 944 Scan20221216192254.exe 80 PID 1580 wrote to memory of 1752 1580 cmd.exe 82 PID 1580 wrote to memory of 1752 1580 cmd.exe 82 PID 1580 wrote to memory of 1752 1580 cmd.exe 82 PID 944 wrote to memory of 3060 944 Scan20221216192254.exe 91 PID 944 wrote to memory of 3060 944 Scan20221216192254.exe 91 PID 944 wrote to memory of 3060 944 Scan20221216192254.exe 91 PID 3060 wrote to memory of 1008 3060 cmd.exe 93 PID 3060 wrote to memory of 1008 3060 cmd.exe 93 PID 3060 wrote to memory of 1008 3060 cmd.exe 93 PID 1580 wrote to memory of 540 1580 cmd.exe 94 PID 1580 wrote to memory of 540 1580 cmd.exe 94 PID 1580 wrote to memory of 540 1580 cmd.exe 94 PID 3060 wrote to memory of 2088 3060 cmd.exe 95 PID 3060 wrote to memory of 2088 3060 cmd.exe 95 PID 3060 wrote to memory of 2088 3060 cmd.exe 95 PID 3060 wrote to memory of 772 3060 cmd.exe 96 PID 3060 wrote to memory of 772 3060 cmd.exe 96 PID 3060 wrote to memory of 772 3060 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe"C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 353⤵
- Runs ping.exe
PID:1752
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"3⤵
- Modifies WinLogon for persistence
PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 46 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe" "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe" && ping 127.0.0.1 -n 46 > nul && "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 463⤵
- Runs ping.exe
PID:1008
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 463⤵
- Runs ping.exe
PID:2088
-
-
C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5876f5f878fc3f716cd877443ee68f7e3
SHA135a223eadf77e713de0f6a7951fdb32ec5a48973
SHA256dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
SHA5123bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83
-
Filesize
1.4MB
MD5876f5f878fc3f716cd877443ee68f7e3
SHA135a223eadf77e713de0f6a7951fdb32ec5a48973
SHA256dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
SHA5123bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83