Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/07/2023, 11:03

General

  • Target

    666f0565a76217_JC.exe

  • Size

    524KB

  • MD5

    666f0565a76217a4de639d7cc4d76d7f

  • SHA1

    1fbb63994851f816a0f7d93b2e8c7a5d14ec080a

  • SHA256

    72c937a5a0cf31e0a05552208e1cafffeb84d740833c903cf831e33c7504b6ea

  • SHA512

    12c32c07d91aa4f5e7dfd5c9f140c59eb57896f65a99fa6b488a814b63cdf31c2c2000c4bf0aab3d22da0a0c43ae2523330b91e340b75cb4f7374345086859d6

  • SSDEEP

    6144:Z+0m8kZHU0bdLzTImb9C5u1wWxclQMgM8xn0AUh2q/+Kmy/v0ng:7m8H0bdL3Imb9efQMgMkYH+Kmo

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\666f0565a76217_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\666f0565a76217_JC.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\mode.com
        mode con cols=15 lines=3
        3⤵
          PID:4536
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1122.bat p
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\SysWOW64\mode.com
            mode con cols=15 lines=3
            4⤵
              PID:3788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1133.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4776
          • C:\Windows\SysWOW64\mode.com
            mode con cols=15 lines=3
            3⤵
              PID:5064
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +a +h +r "C:\test"
              3⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2016

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1122.bat

          Filesize

          197B

          MD5

          b4292e00eff53ec1da95e7225285e779

          SHA1

          695289b0ffaa5ee7b4084304c976045806687ddd

          SHA256

          dc4a1e18e67015e250c8bd71dcbce8d2234e73219b7dfcf8fd13d0733e4c2030

          SHA512

          00dc64420d7b8fda21873e4dfe9ec5fc0aec15a296385ca801641f6a8894692f6aeada71445ef54330f1acf4be6ab436e4ad99f24933e844baa6055efd02f1b6

        • C:\Users\Admin\AppData\Local\Temp\1133.bat

          Filesize

          146B

          MD5

          d61001211982ac769bbb185be1950976

          SHA1

          c856d74768d978bed799edfc07819fc28ba8f604

          SHA256

          03d8643c798c6d1f7c25e3dde6f9a3cb17015295456e099af2681b4ba7895b27

          SHA512

          7080a7d2c54d927960d42063eeea3514ada396c680108d3345660b69149daa446c38848f64138ec075cc7bc9c39112147fabda3fdd7826e763e1b6d1b87f23f1

        • memory/1432-133-0x0000000010000000-0x0000000010017000-memory.dmp

          Filesize

          92KB