Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2023, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
Vnd Vietcombankpdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Vnd Vietcombankpdf.exe
Resource
win10v2004-20230220-en
General
-
Target
Vnd Vietcombankpdf.exe
-
Size
164KB
-
MD5
17a37bf8286737da1e6b94f8094ca1c1
-
SHA1
4c926d254cdc3bc5f243f97b5602cbae2d9669a5
-
SHA256
5d318ad1fa11ca3660fe35faff0e0aaef8acd820e01cdd5ee7305c30314f5303
-
SHA512
66c3ba7121ed0485fb9dbef897f15baf2920575aec6e3d3b773ca36052b09217df277a7127c6e907241d62f0c239f1099c5e43ad3c811c84f5323d2e1d9357ca
-
SSDEEP
3072:XfY/TU9fE9PEtuAbx1qh8nA7Yg75h/zu3GOFkqqymeiy5wt8biswBM6GZ7wzG48:PYa6cxchIAR5h/zLak+mPtIisW8gV8
Malware Config
Signatures
-
Async RAT payload 4 IoCs
resource yara_rule behavioral2/memory/1172-141-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral2/memory/1172-142-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral2/memory/1172-143-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral2/memory/1172-144-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat -
Loads dropped DLL 1 IoCs
pid Process 544 Vnd Vietcombankpdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxhcclhhqa = "C:\\Users\\Admin\\AppData\\Roaming\\mvrrbkkgp\\pyuueajjso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Vnd Vietcombankpdf.exe\"" Vnd Vietcombankpdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 544 set thread context of 1172 544 Vnd Vietcombankpdf.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 544 Vnd Vietcombankpdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1172 Vnd Vietcombankpdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 544 wrote to memory of 1172 544 Vnd Vietcombankpdf.exe 83 PID 544 wrote to memory of 1172 544 Vnd Vietcombankpdf.exe 83 PID 544 wrote to memory of 1172 544 Vnd Vietcombankpdf.exe 83 PID 544 wrote to memory of 1172 544 Vnd Vietcombankpdf.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e39081d0a073b0aa576cb5b2571b2a1b
SHA1da726c1269d8b7127dcb77f95d44e63b597b0bc6
SHA256467a142e9aee7798d20ce3d3339fb04a49a4c219c9795d4a69ef0def1000069b
SHA51203f642399b5da14556e741217e5b10070ca03e5f4135127cb886f8b8835290c89aa95638f7974b8796f0f867937c1953b2d3a8e80d56fbb6276ba70fd8cb383a