Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19/03/2023, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
Odeme.exe
Resource
win7-20230220-en
General
-
Target
Odeme.exe
-
Size
637KB
-
MD5
0747b82b235f4d06fc693569fac9ffbd
-
SHA1
d639f2c7345800ae12b6dea8655cdab16df64daf
-
SHA256
044cacd5ac37289f51cb2560deec5d5eb2a299f37cc7632673fefc70196e5452
-
SHA512
08a9ee3dbd779b8b4c689ddf54f9d57bfa68f61b18e80c8a2240a3feae5e0bf98603e68ecc55aee0d9da7efe909d09a306f5f69feb4e49668520eef7ecfab552
-
SSDEEP
12288:NcrNS33L10QdrXjcDn6gl1f6NWU6TvfXCT8NqRu0VWYQw6zx6TaFOo:wNA3R5drXoD60ZMNg3TuWYJ2x6/o
Malware Config
Extracted
asyncrat
0.5.7B
Mnock
mooroopecamroy.sytes.net:1452
mooroopecamroy.sytes.net:1432
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
crssi.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral1/memory/1364-101-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1364-104-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1364-106-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1980-125-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1980-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 5 IoCs
pid Process 1136 fxgdxfg.sfx.exe 936 fxgdxfg.exe 1364 fxgdxfg.exe 272 crssi.exe 1980 crssi.exe -
Loads dropped DLL 7 IoCs
pid Process 1848 cmd.exe 1136 fxgdxfg.sfx.exe 1136 fxgdxfg.sfx.exe 1136 fxgdxfg.sfx.exe 1136 fxgdxfg.sfx.exe 936 fxgdxfg.exe 1268 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 936 set thread context of 1364 936 fxgdxfg.exe 33 PID 272 set thread context of 1980 272 crssi.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1740 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 108 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1364 fxgdxfg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 936 fxgdxfg.exe Token: SeDebugPrivilege 1364 fxgdxfg.exe Token: SeDebugPrivilege 272 crssi.exe Token: SeDebugPrivilege 1980 crssi.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1104 DllHost.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1848 1760 Odeme.exe 29 PID 1760 wrote to memory of 1848 1760 Odeme.exe 29 PID 1760 wrote to memory of 1848 1760 Odeme.exe 29 PID 1760 wrote to memory of 1848 1760 Odeme.exe 29 PID 1848 wrote to memory of 1136 1848 cmd.exe 31 PID 1848 wrote to memory of 1136 1848 cmd.exe 31 PID 1848 wrote to memory of 1136 1848 cmd.exe 31 PID 1848 wrote to memory of 1136 1848 cmd.exe 31 PID 1136 wrote to memory of 936 1136 fxgdxfg.sfx.exe 32 PID 1136 wrote to memory of 936 1136 fxgdxfg.sfx.exe 32 PID 1136 wrote to memory of 936 1136 fxgdxfg.sfx.exe 32 PID 1136 wrote to memory of 936 1136 fxgdxfg.sfx.exe 32 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 936 wrote to memory of 1364 936 fxgdxfg.exe 33 PID 1364 wrote to memory of 1564 1364 fxgdxfg.exe 35 PID 1364 wrote to memory of 1564 1364 fxgdxfg.exe 35 PID 1364 wrote to memory of 1564 1364 fxgdxfg.exe 35 PID 1364 wrote to memory of 1564 1364 fxgdxfg.exe 35 PID 1364 wrote to memory of 1268 1364 fxgdxfg.exe 37 PID 1364 wrote to memory of 1268 1364 fxgdxfg.exe 37 PID 1364 wrote to memory of 1268 1364 fxgdxfg.exe 37 PID 1364 wrote to memory of 1268 1364 fxgdxfg.exe 37 PID 1564 wrote to memory of 1740 1564 cmd.exe 39 PID 1564 wrote to memory of 1740 1564 cmd.exe 39 PID 1564 wrote to memory of 1740 1564 cmd.exe 39 PID 1564 wrote to memory of 1740 1564 cmd.exe 39 PID 1268 wrote to memory of 108 1268 cmd.exe 40 PID 1268 wrote to memory of 108 1268 cmd.exe 40 PID 1268 wrote to memory of 108 1268 cmd.exe 40 PID 1268 wrote to memory of 108 1268 cmd.exe 40 PID 1268 wrote to memory of 272 1268 cmd.exe 41 PID 1268 wrote to memory of 272 1268 cmd.exe 41 PID 1268 wrote to memory of 272 1268 cmd.exe 41 PID 1268 wrote to memory of 272 1268 cmd.exe 41 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42 PID 272 wrote to memory of 1980 272 crssi.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Odeme.exe"C:\Users\Admin\AppData\Local\Temp\Odeme.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\niychjo.cmd" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exefxgdxfg.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pkqcaszjnhdeekeafugBtrfapofdgatdbjfthfegdyddfbshhheuyhdqboofhhddghdgvxcVohobthtigdge3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe"C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exeC:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"'7⤵
- Creates scheduled task(s)
PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BD2.tmp.bat""6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:108
-
-
C:\Users\Admin\AppData\Roaming\crssi.exe"C:\Users\Admin\AppData\Roaming\crssi.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Users\Admin\AppData\Roaming\crssi.exeC:\Users\Admin\AppData\Roaming\crssi.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
446KB
MD5bba0c2f36a07c47043cdf79438caa5c6
SHA1756ea32a4fd067ec1e89348931250d518dbffaa8
SHA25691b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a
SHA5121e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb
-
Filesize
446KB
MD5bba0c2f36a07c47043cdf79438caa5c6
SHA1756ea32a4fd067ec1e89348931250d518dbffaa8
SHA25691b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a
SHA5121e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb
-
Filesize
10KB
MD5e5e149b889c00e5bb7ccb24f657de3b6
SHA127c48613662cf340487399277c7da01a3459bbd7
SHA256918b067d618b93734f5fd18a2304d58fa3de64c40e57f8c61aa20721ad859b4a
SHA512806ef27e28e05bb61a54b06c5dd47885e30aba9d9a28657120c0c24d27899486835604c0ccb5d53ea069986f00a5d4bc2e695db6fd1e3fa16e067e1e7a550b04
-
Filesize
10KB
MD5e5e149b889c00e5bb7ccb24f657de3b6
SHA127c48613662cf340487399277c7da01a3459bbd7
SHA256918b067d618b93734f5fd18a2304d58fa3de64c40e57f8c61aa20721ad859b4a
SHA512806ef27e28e05bb61a54b06c5dd47885e30aba9d9a28657120c0c24d27899486835604c0ccb5d53ea069986f00a5d4bc2e695db6fd1e3fa16e067e1e7a550b04
-
Filesize
46KB
MD557cbd6c513298c42618373a0f752460a
SHA13dd60b7e98d93f4c2b0b7aa11b9bba3708a5e5c6
SHA256c58d4f70b28185fad7a7411f08731c13ab5c19decad07fc2e422090c090268c2
SHA5120624fe01af7f450b5ed5aef39e1678d66642de0a07edcce74a801a2051e62c7a5d2c057cf6e4b549122583df8f618ecddb81e23200187fecfd7695061fd9d68c
-
Filesize
149B
MD5f32317efe1f366e7b2a8841f5dba26fb
SHA1bfc0cb2f6fc1fdc8224954c98d245a7a83b576e6
SHA25636ebe66fb83f6ebc4025c359ed32b2a3d55c1bc03673c9f8474fb773dd93ca27
SHA512e744f6f177eeada5af7087c6e1d229f591dfccab4847ad68ed3bab40dc5fda60038e63f5d4b56941b173e1c55ca20a1c544ad82d87a14b2277c801f17809fdf9
-
Filesize
149B
MD5f32317efe1f366e7b2a8841f5dba26fb
SHA1bfc0cb2f6fc1fdc8224954c98d245a7a83b576e6
SHA25636ebe66fb83f6ebc4025c359ed32b2a3d55c1bc03673c9f8474fb773dd93ca27
SHA512e744f6f177eeada5af7087c6e1d229f591dfccab4847ad68ed3bab40dc5fda60038e63f5d4b56941b173e1c55ca20a1c544ad82d87a14b2277c801f17809fdf9
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd
-
Filesize
446KB
MD5bba0c2f36a07c47043cdf79438caa5c6
SHA1756ea32a4fd067ec1e89348931250d518dbffaa8
SHA25691b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a
SHA5121e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb
-
Filesize
228KB
MD54981301b8b72b18e3f36313edf39c494
SHA1b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e
SHA256e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655
SHA5122590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd