Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

condef/Def...gs.vbs

windows7-x64

3

condef/Def...gs.vbs

windows10-2004-x64

1

condef/ReadMe.txt

windows7-x64

1

condef/ReadMe.txt

windows10-2004-x64

1

condef/dControl.exe

windows7-x64

10

condef/dControl.exe

windows10-2004-x64

7

out.exe

windows7-x64

out.exe

windows10-2004-x64

condef/dControl.ini

windows7-x64

1

condef/dControl.ini

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2023, 02:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    condef/dControl.exe

  • Size

    447KB

  • MD5

    58008524a6473bdf86c1040a9a9e39c3

  • SHA1

    cb704d2e8df80fd3500a5b817966dc262d80ddb8

  • SHA256

    1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

  • SHA512

    8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

  • SSDEEP

    6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
      C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
      • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
        "C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe" /TI
        3⤵
        • Modifies security service
        • Windows security modification
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\Explorer.exe
          "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
          4⤵
            PID:2176
          • C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe
            "C:\Users\Admin\AppData\Local\Temp\condef\dControl.exe" /EXP |1300|
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:848
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231101020337.log C:\Windows\Logs\CBS\CbsPersist_20231101020337.cab
      1⤵
      • Drops file in Windows directory
      PID:2440
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /RefreshSystemParam
      1⤵
        PID:2160
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /RefreshSystemParam
        1⤵
          PID:2000
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /RefreshSystemParam
          1⤵
            PID:2812
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Program Files\Windows Defender\MSASCui.exe
              "C:\Program Files\Windows Defender\MSASCui.exe"
              2⤵
                PID:1580

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\2s1v2m4y.tmp
              Filesize

              37KB

              MD5

              f156a4a8ffd8c440348d52ef8498231c

              SHA1

              4d2f5e731a0cc9155220b560eb6560f24b623032

              SHA256

              7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

              SHA512

              48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

              Download Submit

            • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
              Filesize

              8B

              MD5

              8e1b08222f20e45a3e8db04c569f9cb7

              SHA1

              a6ac68fbadf96faba3af7000a7514790157f930f

              SHA256

              5bb1f21f806938a043563024b13b33d74a2b95b767c5f81bde8456e9d0413a89

              SHA512

              414d30dec0fce6b4e3ab52c50f064262e0df00cf9dbbeacca271a0991555371a37cfffdd0486c07a9096838942a69cdbefea4a4399ef2848139678daff589c31

              Download Submit

            • C:\Windows\System32\GroupPolicy\gpt.ini
              Filesize

              233B

              MD5

              cd4326a6fd01cd3ca77cfd8d0f53821b

              SHA1

              a1030414d1f8e5d5a6e89d5a309921b8920856f9

              SHA256

              1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

              SHA512

              29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

              Download Submit

            • C:\Windows\Temp\2c8o5s2d.tmp
              Filesize

              37KB

              MD5

              1f8c95b97229e09286b8a531f690c661

              SHA1

              b15b21c4912267b41861fb351f192849cca68a12

              SHA256

              557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

              SHA512

              0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

              Download Submit

            • C:\Windows\Temp\2c8o5s2d.tmp
              Filesize

              37KB

              MD5

              3bc9acd9c4b8384fb7ce6c08db87df6d

              SHA1

              936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

              SHA256

              a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

              SHA512

              f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

              Download Submit

            • C:\Windows\Temp\aut9FB9.tmp
              Filesize

              14KB

              MD5

              9d5a0ef18cc4bb492930582064c5330f

              SHA1

              2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

              SHA256

              8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

              SHA512

              1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

              Download Submit

            • C:\Windows\Temp\aut9FC9.tmp
              Filesize

              12KB

              MD5

              efe44d9f6e4426a05e39f99ad407d3e7

              SHA1

              637c531222ee6a56780a7fdcd2b5078467b6e036

              SHA256

              5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

              SHA512

              8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

              Download Submit

            • C:\Windows\Temp\aut9FDA.tmp
              Filesize

              7KB

              MD5

              ecffd3e81c5f2e3c62bcdc122442b5f2

              SHA1

              d41567acbbb0107361c6ee1715fe41b416663f40

              SHA256

              9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

              SHA512

              7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

              Download Submit

            • memory/848-135-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/848-113-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/1580-134-0x0000000000440000-0x0000000000441000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2124-21-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2124-0-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-66-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-138-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-100-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-78-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-65-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-64-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-145-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-136-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-137-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-43-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-139-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-140-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-141-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-142-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-143-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2444-144-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            • memory/2852-42-0x0000000000400000-0x00000000004CD000-memory.dmp

              Filesize

              820KB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.