Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
22/09/2023, 05:41
General
-
Target
MultiExploitBuilderV1.exe
-
Size
2.2MB
-
MD5
b9fa659bd0b2b103521c686ecf3da2c7
-
SHA1
21427801d6d99aff543964fe8f685faa196cf8f2
-
SHA256
99a6966aea833fa53e11681cb19b336abd176eb1e477fdde957ec11954e7086d
-
SHA512
c25bd26b8e9aba2df095e1a964a8a92c25b800a7604330ca6ee1ece89e6b680897af216905ecb40b4a4d7228a1fe857c11707248590839e7ecd2ef6c431a05d4
-
SSDEEP
49152:bqe3f6lnC3KqopqB8YwuJQ9iEpWHGG2J/:WSi1qKqBOSwTCwR
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MultiExploitBuilderV1.exe"C:\Users\Admin\AppData\Local\Temp\MultiExploitBuilderV1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-1GDJP.tmp\MultiExploitBuilderV1.tmp"C:\Users\Admin\AppData\Local\Temp\is-1GDJP.tmp\MultiExploitBuilderV1.tmp" /SL5="$D0028,1485076,837632,C:\Users\Admin\AppData\Local\Temp\MultiExploitBuilderV1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GA4DB.tmp\env.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create SearchOptimizer binpath= "C:\Windows\System32\SearchOptimizer.exe" start=auto4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start SearchOptimizer4⤵
- Launches sc.exe
-
-
-
-
C:\Windows\System32\SearchOptimizer.exeC:\Windows\System32\SearchOptimizer.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SearchUI.exe"C:\Windows\System32\SearchUI.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75B
MD53e9b283396ce48fe6410ffaa5b3a7ef7
SHA108ce48281fc5fb2dcb69034120ace5d02233d4c8
SHA256bea122a004eb8d1dc88a38636f77cf73ccf20c5cbf39061b967e7d23cc995158
SHA51227dce7901a94f2dc163e2c8b35ced9bc63d1737ac87df9b385aec6b662d04df8a7b472c31458dd67109014a18be4150e4eecdfc661c44f44c0d4764d3175f6c5
-
Filesize
75B
MD53e9b283396ce48fe6410ffaa5b3a7ef7
SHA108ce48281fc5fb2dcb69034120ace5d02233d4c8
SHA256bea122a004eb8d1dc88a38636f77cf73ccf20c5cbf39061b967e7d23cc995158
SHA51227dce7901a94f2dc163e2c8b35ced9bc63d1737ac87df9b385aec6b662d04df8a7b472c31458dd67109014a18be4150e4eecdfc661c44f44c0d4764d3175f6c5
-
Filesize
2.9MB
MD51f4bdf4d6f2b4fd5f8e60e8be2e86c5b
SHA15da410b4f14949b46cc7995f4f8f480a2de25a70
SHA256711308c01e6c633293062aca47ba61df0baadc980ebf2ff66e0fb39e5e537477
SHA5122436d25866cf93a53116038f715919c82e21a8171fe0a68ffefa5283fb07824d74ec4c89f870e018fc2326beab89d6bdfd0249d6fc9f078859427bc351b837e8
-
Filesize
2.9MB
MD51f4bdf4d6f2b4fd5f8e60e8be2e86c5b
SHA15da410b4f14949b46cc7995f4f8f480a2de25a70
SHA256711308c01e6c633293062aca47ba61df0baadc980ebf2ff66e0fb39e5e537477
SHA5122436d25866cf93a53116038f715919c82e21a8171fe0a68ffefa5283fb07824d74ec4c89f870e018fc2326beab89d6bdfd0249d6fc9f078859427bc351b837e8
-
Filesize
126B
MD57af82eba781e242f1d31d84426fe6d46
SHA18922e100cbbefe0bea303350fec65ad9e7d2c6bf
SHA256e542c65b51318d3b6308e6f9cddf56cfb9e5702c688b089739a8087677acbbfe
SHA51222a5ee800cd4c0e1e2e57ec1818631a8d94641023b282b05df754ca6cbbae08d7b935de879780c3170ec8cc0c6897fa1be5d868e7cf04ce35af39d5adde69a13
-
Filesize
254KB
MD55c7b8fa5b82728b1337e7e35ac235a06
SHA1a9d662a387f9d320a67f91e6c0600c7638d67000
SHA2566a24df52c56aaffa2770fc20dbb64b14f54e69b543a31fe5d51d364ec4e17ec4
SHA5129aee5e0aad93600d8c2d7ab91297f20ae3f9d0da5590a3534bec48a2e72f637461bce0ebb18bce35687b88397b1398c0197d5e36e313c1cb03b490264596e433
-
Filesize
254KB
MD55c7b8fa5b82728b1337e7e35ac235a06
SHA1a9d662a387f9d320a67f91e6c0600c7638d67000
SHA2566a24df52c56aaffa2770fc20dbb64b14f54e69b543a31fe5d51d364ec4e17ec4
SHA5129aee5e0aad93600d8c2d7ab91297f20ae3f9d0da5590a3534bec48a2e72f637461bce0ebb18bce35687b88397b1398c0197d5e36e313c1cb03b490264596e433
-
Filesize
306KB
MD549e95b7a1ebf031fd9ad67adf8769a19
SHA15913dd59612ee712e23f33496ac3994a2f846b39
SHA256d791577ccb6b6d288e06c9e6a9dbe7f0563144fb5025b17ee8435df04a8c1811
SHA512969b113c360ab188c1ae0c0419997ab67e34ab742488a16625c295e8d273ebf11a32e596190996addcc3aa55475df0f152ed5af66305ba56ad0908d657186fad
-
Filesize
306KB
MD549e95b7a1ebf031fd9ad67adf8769a19
SHA15913dd59612ee712e23f33496ac3994a2f846b39
SHA256d791577ccb6b6d288e06c9e6a9dbe7f0563144fb5025b17ee8435df04a8c1811
SHA512969b113c360ab188c1ae0c0419997ab67e34ab742488a16625c295e8d273ebf11a32e596190996addcc3aa55475df0f152ed5af66305ba56ad0908d657186fad
-
Filesize
75B
MD53e9b283396ce48fe6410ffaa5b3a7ef7
SHA108ce48281fc5fb2dcb69034120ace5d02233d4c8
SHA256bea122a004eb8d1dc88a38636f77cf73ccf20c5cbf39061b967e7d23cc995158
SHA51227dce7901a94f2dc163e2c8b35ced9bc63d1737ac87df9b385aec6b662d04df8a7b472c31458dd67109014a18be4150e4eecdfc661c44f44c0d4764d3175f6c5
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
1.2MB