Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

19/04/2023, 01:43

230419-b5gtaafe75 10

Analysis

  • max time kernel
    143s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2023, 01:43

General

  • Target

    ClasSvc.exe

  • Size

    17.1MB

  • MD5

    305e71ec353a718b055ea9acaa6598a3

  • SHA1

    3d26bb3b0a669b98c5226bcdd3473440e47162d5

  • SHA256

    031f9345c33543366e9c66447f4f3fb085a2e04f3c2f98f562f191de6a413dd0

  • SHA512

    2f9c163ac5e2980825b536b384329714dc602079e4bd0b9e2654df40fcd659e67e4e2a17b338a81fc8ac39e0ff1ae83b625e102f9308a0734948412c4a4dc2eb

  • SSDEEP

    196608:uNjzJSeEtAVBt4/BixizJcPM5OzQ6UM6pZpKerXvob24hwhxbQLJC:uNjzJSeE0D4KiZ5OyM6pXTrXvMwrbQLM

Score
10/10

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe
    "C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe
      C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe -run_agent -second
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1708-55-0x0000000001760000-0x0000000001761000-memory.dmp

    Filesize

    4KB

  • memory/1708-54-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

  • memory/1708-56-0x0000000002F80000-0x0000000002F81000-memory.dmp

    Filesize

    4KB

  • memory/1708-57-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

  • memory/1776-58-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/1776-61-0x0000000005830000-0x0000000005831000-memory.dmp

    Filesize

    4KB

  • memory/1776-60-0x0000000005870000-0x0000000005871000-memory.dmp

    Filesize

    4KB

  • memory/1776-62-0x0000000005840000-0x0000000005841000-memory.dmp

    Filesize

    4KB

  • memory/1776-63-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

  • memory/1776-64-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

  • memory/1776-70-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

  • memory/1776-77-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB