Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    97s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2023, 16:16

General

  • Target

    decoded.exe

  • Size

    1.3MB

  • MD5

    2d48214132e5c4d808740e71ec5f6a7f

  • SHA1

    f3c7534d9f139782006b5656ec0d229d8d9d356e

  • SHA256

    c1fadb8e09ba1257f7656be5a1c8d44e2a0da8697e8e0a32485714949a6c29ca

  • SHA512

    71b38bc31ecd199d3408e831c0cda0b0fbce6b363d5da3500767ff2a9a02fc0b3990512085d8d44e25b50e87eceaf4527e58d9c3e0a0802efbc3164af94a77a2

  • SSDEEP

    24576:LMmDOoI0Acd30rkQS8nikHN+KNzPKqQRD2F2PcAFdiqP1t/qiSlJjKGY:LMelI0AA0rkQznikHnNyn62PVFLtiiSO

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2576
      • C:\Users\Admin\AppData\Local\Temp\decoded.exe
        "C:\Users\Admin\AppData\Local\Temp\decoded.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ashfdjkhgwiueghfruihwjkefwe
          3⤵
            PID:3968
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c cmd < 2
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4656
            • C:\Windows\SysWOW64\cmd.exe
              cmd
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4812
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell get-process avastui
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:876
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell get-process avgui
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3096
              • C:\Windows\SysWOW64\certutil.exe
                certutil -decode 86 86YEO
                5⤵
                  PID:1244
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V /R "^QyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmSFyMxWuKGRJDopFhZDrhRDHAYtAoQHDCIZfrnmkrkibbwxQlV$" 86YEO
                  5⤵
                    PID:4304
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9780\Milf.exe.pif
                    9780\\Milf.exe.pif 9780\\d
                    5⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:3984
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                      6⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2580
                  • C:\Windows\SysWOW64\PING.EXE
                    ping localhost -n 8
                    5⤵
                    • Runs ping.exe
                    PID:3500
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YHgsKCxQSK.url" & echo URL="C:\Users\Admin\AppData\Local\MYSMWZEvHY\VPbsOvHZF.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YHgsKCxQSK.url"
              2⤵
              • Drops startup file
              PID:316

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            1KB

            MD5

            def65711d78669d7f8e69313be4acf2e

            SHA1

            6522ebf1de09eeb981e270bd95114bc69a49cda6

            SHA256

            aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

            SHA512

            05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            18KB

            MD5

            708511c46bcb778e89b204cb40403a17

            SHA1

            456294d0b869be8c77546e9de5a7dfe0253c0dc0

            SHA256

            b01b3dc94d2f7c4056c2b865798fb71f5fc1e91060719f739f0339adf3342cb4

            SHA512

            e8fe358ffdf46c179b8443f9756053c84fe99dad0156ff26b036e109c5bf9df139a1bf29ebe7a577216b30b6b2e900175be1412fbed4a766841e62c46682a810

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2

            Filesize

            11KB

            MD5

            cf13b620804b451200c2fc35d0955c1e

            SHA1

            0b9034ce408d6bdfc2d12a5f957361df1494b564

            SHA256

            968a4e2af5aa8c0ab95e65c08eb5a5ea03d921c9220def24675a676ff3f9fe76

            SHA512

            a4c73efd6ff723b9067c95258f02ee0570cf076a1d992456bfdccdd064e1771dde530d0dd046d2dad6185cb08eb4d641484f75b94b04f0dfd384bdd60fd22f26

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6

            Filesize

            1.9MB

            MD5

            fa191eedf1fd23465aea012c60dd159f

            SHA1

            230d11121b16f1d38f31a2867c214bef83da6f22

            SHA256

            94e500c66add5eb1ee91b8de448668a7c7d26021104c9bec2c156c8dbbc9a440

            SHA512

            bee65d47a8ee4311d016dd85e3fc45d28d4133da18a15430388067b4457e542b3790344e7b9e38672c191832b56550ec0e676b5e047f8ff9ac1b9e0f339d342d

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\86

            Filesize

            1.2MB

            MD5

            3c775f771bf21af3a95b519b87d3a055

            SHA1

            796a926397a7024348db5c8790acfb69cca68227

            SHA256

            66404d8f396ba4198e14b73cea09b36567d55d93c683965e13e2f9765f0f1b6c

            SHA512

            20a2ff99e8c676a3c3ec9fdfb26a000fda8aeb36373380f764e6fe8f428f7dce42cea9dd2b66fa9e0a84c01f13c224f53f147cc420d1de3d1fc0539a670ca253

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\86YEO

            Filesize

            872KB

            MD5

            0d398b7bfb54c5e22d8b42e8545837d7

            SHA1

            c065aed432508df9bacf121e7f0ed9bc0ebcce62

            SHA256

            a80a0a728e5451c54543c9527b12e0f8938e6fa72c3ef34ac6044fdec39d505e

            SHA512

            8a9038fb3f563abd69c628bcc32211550afde710be390131f5ac4fe8d59d58e9794d0562b60fe0e13fc1bc01d4c256867035d362f24bcd52b6834c874fefd4c7

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9780\Milf.exe.pif

            Filesize

            872KB

            MD5

            c56b5f0201a3b3de53e561fe76912bfd

            SHA1

            2a4062e10a5de813f5688221dbeb3f3ff33eb417

            SHA256

            237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

            SHA512

            195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9780\Milf.exe.pif

            Filesize

            872KB

            MD5

            c56b5f0201a3b3de53e561fe76912bfd

            SHA1

            2a4062e10a5de813f5688221dbeb3f3ff33eb417

            SHA256

            237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

            SHA512

            195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          • memory/876-139-0x0000000005A60000-0x0000000005A82000-memory.dmp

            Filesize

            136KB

          • memory/876-141-0x00000000062E0000-0x0000000006346000-memory.dmp

            Filesize

            408KB

          • memory/876-143-0x0000000007AF0000-0x0000000007B86000-memory.dmp

            Filesize

            600KB

          • memory/876-144-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

            Filesize

            104KB

          • memory/876-145-0x0000000006E10000-0x0000000006E32000-memory.dmp

            Filesize

            136KB

          • memory/876-146-0x0000000008140000-0x00000000086E4000-memory.dmp

            Filesize

            5.6MB

          • memory/876-142-0x0000000006930000-0x000000000694E000-memory.dmp

            Filesize

            120KB

          • memory/876-140-0x0000000006140000-0x00000000061A6000-memory.dmp

            Filesize

            408KB

          • memory/876-137-0x0000000003010000-0x0000000003046000-memory.dmp

            Filesize

            216KB

          • memory/876-138-0x0000000005AA0000-0x00000000060C8000-memory.dmp

            Filesize

            6.2MB

          • memory/2580-161-0x0000000000590000-0x0000000000636000-memory.dmp

            Filesize

            664KB

          • memory/2580-163-0x0000000004C00000-0x0000000004C92000-memory.dmp

            Filesize

            584KB