Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 11:07

General

  • Target

    bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe

  • Size

    756KB

  • MD5

    d7be2192fc7cb22db8a2acdbf4bbdafe

  • SHA1

    89d97962f8d193fcb91402574046304fbfe2e89f

  • SHA256

    bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324

  • SHA512

    e0da02125907eade276c6489af7bccfae29ab6d07a7936dc59d3fd041d723e2840a57197fea5ba11425c37f6fe0f36570610e13ce2d7ace7823955416de6d799

  • SSDEEP

    12288:FNpszYhvXWSVJdMae3mUJUTOMsa+0zNOabK3ghMZtc6NS+0Ulk287/k/MjuLle:7hvJVJdMa1+wOmK3gglSjUlkVzuLs

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

103.116.46.219:25566

218.89.171.148:55472

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
    "C:\Users\Admin\AppData\Local\Temp\bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.com.exe.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\certutil.exe
        certutil -f -decode t "C:\Users\Admin\AppData\Local\Temp\file.com.exe"
        3⤵
        • Manipulates Digital Signatures
        PID:5084
      • C:\Windows\SysWOW64\explorer.exe
        explorer "C:\Users\Admin\AppData\Local\Temp\file.com.exe"
        3⤵
          PID:1852
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Users\Admin\AppData\Local\Temp\file.com.exe
        "C:\Users\Admin\AppData\Local\Temp\file.com.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.com.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3808
          • C:\Windows\SysWOW64\certutil.exe
            certutil -f -decode t "C:\Users\Admin\AppData\Local\Temp\file.com"
            4⤵
              PID:2760
            • C:\Windows\SysWOW64\explorer.exe
              explorer "C:\Users\Admin\AppData\Local\Temp\file.com"
              4⤵
                PID:4636
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3260
          • C:\Users\Admin\AppData\Local\Temp\file.com
            "C:\Users\Admin\AppData\Local\Temp\file.com"
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2308
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.cmd" "
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3936
              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Windows.exe
                windows.exe
                4⤵
                • Executes dropped EXE
                PID:3900
              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\dllconfig.exe
                dllconfig.exe
                4⤵
                • Executes dropped EXE
                PID:1492

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.com.exe.bat

          Filesize

          751KB

          MD5

          3726d753ff0d8eff5ed191dd3e691cdb

          SHA1

          6f92ea3e223d0e0f83e3c9482d521c57cb675792

          SHA256

          3101c401613b73efc4f018bcd7067c90a4eb2100808e2f5c405783cb04783c3d

          SHA512

          694bbdc04ffb60ad9e5ba3611114294495ec739fa0ee2db8b550f8629aa18c19a85643f0b17cdebae28f73434be817b0e4da256167e46d7341a0aae6152cab9e

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\t

          Filesize

          367KB

          MD5

          67c8e63deb6c078d21d5b51cc352d1ca

          SHA1

          0320d0d2ae3695210c9b73fc42ed6111572832e4

          SHA256

          3cd1532c0bf43cd22485796bd2d4c567162cfa66c2b21b1ae0412a042ec63df3

          SHA512

          7abad340e1ebb72ecb58c2c9773651e41bf1323ab8efe10de635e4f9c07c325fea46767e78b225b7bf75ff407e06c1788431ae23e75843b7afa9d49ca05a1053

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\t

          Filesize

          749KB

          MD5

          52feed6878ee4648dbe6fe21671782b3

          SHA1

          9bfedc2898e0904291b3294c8c2fbd328d6e7592

          SHA256

          1a6aba3bdad682a3d67e655daee95b7635715b82ebaad9bc3e95223bbb2003a6

          SHA512

          fb5588e0a59aeb0f4219da6f666e289d911ab0cde488c9ca8baff1885ef94ad17b90f3c924a2ca3b5b023258bca34a2ed8f758fd687566d191a531fcc2a66af8

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.com.cmd

          Filesize

          499KB

          MD5

          683f6a743715e2304c53a8216f54da97

          SHA1

          8d059b0c1d1ff7fe33591aa2de99f97b4555a452

          SHA256

          a35f181237e0c0d58190273ba28d2b16ad59e219be2d30ee899e59a987141e2f

          SHA512

          c2db4926ae4bb2e747c0c0d14c6ba6355c0f16fe1d00d9808d56984d2200f5a6270030c3c45065d95b1613db78c979ead237fb314509ee326e0c2af51a1bd764

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\t

          Filesize

          499KB

          MD5

          fd1fe327e8242e77b8f3b039bd242dd4

          SHA1

          9ea5fce9835cdabae4793270d0c5a8bf30f30923

          SHA256

          aa01cf95e330e3b70ec26b55037e89a25dfd252e17a72212fc95a07ec4670a87

          SHA512

          76d292babf665af7d9d674357d017ff56e717f9dea92d4528f776c90844a3a94d01ed3684450793e144d822a530eecd357205182c0e01e8e62325fec4cfdaa44

        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Windows.exe

          Filesize

          46KB

          MD5

          142939c71fb5bb7f9b43cfb38ccf8729

          SHA1

          4065f081a84aff314de93c731f5f9d86dc0296dd

          SHA256

          fd1e05704a4a3aa355d6b59fd59a67258d7e86ffebe1de9827f29bf7f9ed8745

          SHA512

          1792957fb4677d343074cae9483fac221ab056ab1206e6f0a79e8c7d390f93ef3932e1acaac31f2eb7a62ba1a18d5800f2532ed8c4206c386693fc5beb4990d6

        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\dllconfig.exe

          Filesize

          47KB

          MD5

          65cb5055b52b89de9fc06d9679bb860d

          SHA1

          0e410332ecfe02b8391f2d373c89f7329a74fa51

          SHA256

          b03f2f13751ea9600df21aa695180640224c78d37b49101711c0f725a798238c

          SHA512

          861696f02856ae6a35b29b4e5c23a4cdaaf82086f8d59a32b1c6fed7dedc9c1162020dc91392b187c05ae774ab7a81cb5f8ff37d86ea20dd58023cf755375e8c

        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.cmd

          Filesize

          79B

          MD5

          c2f14c0bfe13eab879fa3eaefc4dff8a

          SHA1

          89e463f1204b5dd8615c45a8ee1f1f960a91ac1e

          SHA256

          57dbff3fb9b8241c8f5dedaac6b5d9c4b74740636be861ed40a56033f08874a0

          SHA512

          a7ebc4bd37bcc0d41a3d4d55485182e97d0a1fcc1a19c71a24a1a9c457efeb1650bc5dc974b7c73ba47944cb65b966e843c8f5b084763dc6efd4e0b08067f124

        • C:\Users\Admin\AppData\Local\Temp\file.com

          Filesize

          374KB

          MD5

          c506d5cf8cb8a67ca80e423dd7d917ce

          SHA1

          efe86b94dbb383c406bfd4264b5edf14563336fb

          SHA256

          cdc0053912e880b4a31e8eb6da01cf65be7271c30a9a67bdb1626c2134920ee6

          SHA512

          bb3046fcc87566bf781dd23752cea03fd7f0f6e3d9a4b3fd4172d9d011d3b61850f6c6eb978801b49a6109a2b25d9bbd5c0169eb842d088758bf25f45fe2b21e

        • C:\Users\Admin\AppData\Local\Temp\file.com.exe

          Filesize

          562KB

          MD5

          89c2e2e6a0b38063c3e2eebd9f232d03

          SHA1

          e7a9f62bb388be0907ac6f164fae30ac5d28f014

          SHA256

          63b69c5d87b82422864376aa2d1a7e3e8bc90891ace200f33ccc0da7e3f680d2

          SHA512

          6bfbcaa3cd0ad82ed7d08bc7948231ffb778b93a40604bc53adc8c58344a1cc2adbc80ea42b613ffe5f0c923e50475a5d9e4ba4cff4cb65a98ea698d5348a715

        • memory/1492-192-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/1492-193-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

        • memory/1492-196-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/3900-187-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB

        • memory/3900-188-0x0000000000730000-0x0000000000731000-memory.dmp

          Filesize

          4KB

        • memory/3900-195-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB