Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

03cd9e8171...7e.exe

windows7-x64

10

03cd9e8171...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03cd9e81719c06c5c8a29cdcfac3ae7e.exe

  • Size

    548KB

  • MD5

    03cd9e81719c06c5c8a29cdcfac3ae7e

  • SHA1

    95d18fc034c40fcea3cd6f4b72ed9e4d29e858bb

  • SHA256

    73fb68e2ea01ff336c410d3b98c7d3e4c8e48c1565bcc50be7f262b58726d9e7

  • SHA512

    da4bedf781a2adb08674cf88c79fe12e24689b0c532c30c70ae26c35727dafe082457e637ba1c8f9b34def7f998bf37d725ddef96bc0c584a9e7090bb5febc90

  • SSDEEP

    6144:kB/RFtlUYA5xHtSl8rVj+8GkYJTIRT68O:8lWjt+8WWTK

Score
10/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
    "C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
      "C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
        "C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
          4⤵
          • Modifies Windows Firewall
          PID:1184
        • C:\Users\Admin\AppData\Roaming\lsass.exe
          /d C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3620
          • C:\Users\Admin\AppData\Roaming\lsass.exe
            /d C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
            5⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Users\Admin\AppData\Roaming\lsass.exe
              /d C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
              6⤵
              • Modifies WinLogon for persistence
              • Deletes itself
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:4784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gBvtBuUl
    Filesize

    39KB

    MD5

    d1bbe8fd8bd9e7ed2ec004ee4e9374fb

    SHA1

    d6703c078fde949cd8e018dc534dc664d4a5e370

    SHA256

    9fb53875763ec95f6cd372124b48eb859ae0f83613839f77f30ff838aab78cac

    SHA512

    16ccff8d43acc20b3dde05303dc41d48b6e853e05bbeba16efe6a61ce4b9ce230781d7a0f0c12ae52968406788653cb7d7b8fad42a29422b80081dbe7df84f9c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    548KB

    MD5

    cb267aa747c53b9ffc8d8e28674b0a89

    SHA1

    9d9bafaab2e2d205a036023e3e9cd07f69eacdc5

    SHA256

    9b8b4aa2fd479723cadd603f7bce0046f394fc0387f182c80ce502292728aaf7

    SHA512

    d65386d7874e536dee87adafb67e3b704df8613af42014b60ded50214ddde04834de3436ad0ec3b6b63e3f704b1e7446db2d3c56a5a0097b45aae9596100b3b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lsass.exe
    Filesize

    196KB

    MD5

    79532dbf82b065806a0efbd0fd966ef7

    SHA1

    dec7fbff12d6e765fe9d7d630228655b3e0e7fd4

    SHA256

    de5503bd919ce1783fb339dc95c7fef45ddd4c20ffb62e9bed788b53a33c9e1b

    SHA512

    dbe466f92d306d9d3b7996f5bece9ba1a6c512036c86c7137b50f3317823849aad8878789bfb10fb41be43e78778ca0d9e20f056b287726f78f693e1a7214f25

    Download Submit

  • memory/2332-7-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2332-9-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2332-33-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4036-47-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4272-2-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4272-4-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4272-11-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4784-49-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-50-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-51-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-52-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-53-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-54-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-55-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-56-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-57-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-58-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-59-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4784-60-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download