Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

16/12/2022, 08:37

221216-kjcrwaed77 10

16/12/2022, 08:22

221216-j92cgshb8y 10

Analysis

  • max time kernel
    133s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/12/2022, 08:22

General

  • Target

    Scan20221216192254.exe

  • Size

    1.4MB

  • MD5

    876f5f878fc3f716cd877443ee68f7e3

  • SHA1

    35a223eadf77e713de0f6a7951fdb32ec5a48973

  • SHA256

    dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

  • SHA512

    3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

  • SSDEEP

    12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 35
        3⤵
        • Runs ping.exe
        PID:1752
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:540
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 46 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe" "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe" && ping 127.0.0.1 -n 46 > nul && "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 46
        3⤵
        • Runs ping.exe
        PID:1008
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 46
        3⤵
        • Runs ping.exe
        PID:2088
      • C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe
        "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

    Filesize

    1.4MB

    MD5

    876f5f878fc3f716cd877443ee68f7e3

    SHA1

    35a223eadf77e713de0f6a7951fdb32ec5a48973

    SHA256

    dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

    SHA512

    3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

  • C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

    Filesize

    1.4MB

    MD5

    876f5f878fc3f716cd877443ee68f7e3

    SHA1

    35a223eadf77e713de0f6a7951fdb32ec5a48973

    SHA256

    dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

    SHA512

    3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

  • memory/772-146-0x0000000000540000-0x00000000006A0000-memory.dmp

    Filesize

    1.4MB

  • memory/944-135-0x00000000055F0000-0x000000000568C000-memory.dmp

    Filesize

    624KB

  • memory/944-136-0x0000000001570000-0x000000000157A000-memory.dmp

    Filesize

    40KB

  • memory/944-132-0x0000000000190000-0x00000000002F0000-memory.dmp

    Filesize

    1.4MB

  • memory/944-134-0x0000000005550000-0x00000000055E2000-memory.dmp

    Filesize

    584KB

  • memory/944-133-0x0000000005A60000-0x0000000006004000-memory.dmp

    Filesize

    5.6MB