Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

SecuriteIn...38.exe

windows7-x64

5

SecuriteIn...38.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    15/11/2023, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.5138.exe

  • Size

    782KB

  • MD5

    9bb7f3b0c32cc58c27054de628206cee

  • SHA1

    5fd5e46dc9a53b5af49fcac45f52d3ccd60114b4

  • SHA256

    a999fa0b2c139c85ebb6a33cc1785777a333ee9b491ca696d776887f6d0400bc

  • SHA512

    fb21b4e0c1466c16e75b28e716c13b000c3a5a093e1693f73806520522833618904ec5968f3c57a9264159002f34738c78e356eb06aaccd8ba95f047198e500e

  • SSDEEP

    12288:DSprtFnXkIxN/9PCfsC6jf0ftLoydvr8yj2+/DV+3:6pF0AN/S2fstsyw+

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDcHssmvHjwDQe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDcHssmvHjwDQe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D12.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 36
        3⤵
        • Program crash
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1D12.tmp
    Filesize

    1KB

    MD5

    a745dffb9b5be5564f34262abd9f14b9

    SHA1

    61f1a675d50f75316a35325610813249fdf10199

    SHA256

    080fb6ee059631bbade959b8b49d1bd80ddc86186302330af15f930b8b906a85

    SHA512

    100fea6d38fb81414c738b1d7dc6604d832dbff8b37916bf2f33c03939eb62f96cb78b7d167cdcefda4ff147266df1902bd36692e918015424769bf5007dfbdc

    Download Submit

  • memory/2696-26-0x00000000741B0000-0x000000007475B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2696-25-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2696-24-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2696-23-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2696-22-0x00000000741B0000-0x000000007475B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2696-21-0x00000000741B0000-0x000000007475B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2796-17-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2796-13-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2796-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2796-28-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2796-27-0x0000000000990000-0x0000000000C93000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2796-14-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2880-6-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2880-7-0x0000000004740000-0x0000000004780000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2880-5-0x0000000005430000-0x00000000054AE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2880-4-0x0000000000340000-0x000000000034A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2880-3-0x0000000000330000-0x0000000000346000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2880-2-0x0000000004740000-0x0000000004780000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2880-1-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2880-18-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2880-0-0x00000000011E0000-0x00000000012AA000-memory.dmp

    Filesize

    808KB

    Download