Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

04758d397c...8f.exe

windows7-x64

8

04758d397c...8f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 04:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04758d397c81638f9146e4b54849e68f.exe

  • Size

    220KB

  • MD5

    04758d397c81638f9146e4b54849e68f

  • SHA1

    61c42b655952a846737e079f72c83e73f05d3c29

  • SHA256

    727f09e37d8f54a1ede12bf8bc0ce9f8edddcd6d130e6a0802963cfc60ec8c17

  • SHA512

    c393087274f282686124bc445460426241231ff7b95afb76ea8146836e77b0123baecc248734d78034618d812e3ffe9613b50567b545b36694ea9f25d6e997d4

  • SSDEEP

    3072:yOkEXFtVI7huijyivefSjIeVXcJZn+ehHcNeBS1SNmiH3jDfRtoJpUCIwZ1ApqKw:fkEXFtV6nFxXcJZkNe6fQB2zUDw

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe
    "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\CmD.exe
      CmD /c copy "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe" "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe"
      2⤵
        PID:3012
      • C:\Windows\SysWOW64\CmD.exe
        CmD /c ""C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe" /okoarg > "C:\Users\Admin\AppData\Local\Temp\w3oko.bat""
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe
          "C:\Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe" /okoarg
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:2840
      • C:\Windows\SysWOW64\cMd.exe
        cMd /c "C:\Users\Admin\AppData\Local\Temp\w3oko.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\SysWOW64\reg.exe
          reG aDd "hklm\SOFTWARE\Microsoft\Internet Explorer\Main" /v TP /t ReG_Sz /d 1000 /f
          3⤵
          • Modifies Internet Explorer settings
          PID:2688
        • C:\Windows\SysWOW64\netsh.exe
          NetSh FIReWAlL Add allOweDPrOgrAm naMe="BlueSoleil OKO" prOGram="C:\Windows\system32\svchost.exe" mode=ENABLE
          3⤵
          • Modifies Windows Firewall
          PID:2576
        • C:\Windows\SysWOW64\netsh.exe
          nETsH fIrEwaLl aDD pOrToPEnIng tcP 8085 "OKOToGate" eNABLe
          3⤵
          • Modifies Windows Firewall
          PID:2644
        • C:\Windows\SysWOW64\sc.exe
          Sc CreATe "cpqoko6" tyPE= share start= auto binPaTh= "C:\Windows\system32\svchost.exe -k tapisrvs" DisplayName= "Service Serenum Temporary CPL Search HID Bluetooth SyncMgr"
          3⤵
          • Launches sc.exe
          PID:2072
        • C:\Windows\SysWOW64\reg.exe
          rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\cpqoko6\Parameters" /v ServiceDll /t ReG_EXpaND_Sz /d "C:\Windows\system32\erokosvc.dll" /f
          3⤵
          • Sets DLL path for service in the registry
          PID:3036
        • C:\Windows\SysWOW64\reg.exe
          rEg adD "hkLm\sYsTEm\CuRrenTcoNtRoLSeT\seRvIcES\cpqoko6" /v FailureActions /t rEG_BInaRY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
          3⤵
            PID:2400
          • C:\Windows\SysWOW64\reg.exe
            ReG adD "hklm\SOfTwaRe\mIcrOSoFt\WiNdoWs nt\CURrENtveRSiOn\svcHoSt" /v tapisrvs /t rEg_mULti_sz /d "cpqoko6\0" /f
            3⤵
              PID:2068
            • C:\Windows\SysWOW64\sc.exe
              sc start "cpqoko6"
              3⤵
              • Launches sc.exe
              PID:456
            • C:\Windows\SysWOW64\sc.exe
              sc boot ok
              3⤵
              • Launches sc.exe
              PID:1728
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /flushdns
              3⤵
              • Gathers network information
              PID:2556
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k tapisrvs
          1⤵
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1056

        Network

          No results found
        • 127.0.0.1:8085
          04758d397c81638f9146e4b54849e68f.exe
        No results found

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\w3oko.bat
          Filesize

          1KB

          MD5

          fb18f8577093aac5c56b2944f6ab2f5d

          SHA1

          461fce72325f0c87dd5b6b06df0a0811ded9d319

          SHA256

          1d990e5397cfd57eafb5bc8e0832a8ee7c59b71606cdab31f232e6a15e4450dc

          SHA512

          31f94379808b73d5e0e0b0a2ad2abd2f8abaa1481edd8cc0d18ec131a88ebc1a2cdb5b1fafb4d82775a286c4c2c06d119170bf19e10f09e77fd9cd2761de7b49

          Download Submit

        • \Users\Admin\AppData\Local\Temp\04758d397c81638f9146e4b54849e68f.exe.exe
          Filesize

          220KB

          MD5

          04758d397c81638f9146e4b54849e68f

          SHA1

          61c42b655952a846737e079f72c83e73f05d3c29

          SHA256

          727f09e37d8f54a1ede12bf8bc0ce9f8edddcd6d130e6a0802963cfc60ec8c17

          SHA512

          c393087274f282686124bc445460426241231ff7b95afb76ea8146836e77b0123baecc248734d78034618d812e3ffe9613b50567b545b36694ea9f25d6e997d4

          Download Submit

        • \Windows\SysWOW64\erokosvc.dll
          Filesize

          118KB

          MD5

          14947076c826c1ae5cb965cd1bd2efcb

          SHA1

          550a0115ad401ce0c37ec45de94c9004ff46cc4b

          SHA256

          f49a73b3006891c7fcf38157f3923c44fe89e4f298429b2df6139c2e2964f9e0

          SHA512

          6cf84506bc1e8c045e61eea107c36809f246d1a535d01d77760f8cba3e57a32028254fc053afae30342f18adb164b3fb10bdcbeb0c3520923a16d9b7f1c19169

          Download Submit

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.