Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    39s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 08:24

General

  • Target

    5f9127245473fbfdab735869bce40d88.exe

  • Size

    484KB

  • MD5

    5f9127245473fbfdab735869bce40d88

  • SHA1

    4960afd3e5e88ec967973248b93b97a4743fa5d1

  • SHA256

    9bff283edf384a62a8aab5d2827b1c8fd4514746fc7f2c3ce688a34b419a1a86

  • SHA512

    4299e96e65b96b78bb84896c84fadcf321c7afff31b926988ca2ea0478f61724f015ac583b5a19bab6d3f3ae35a56cf31749478cb13ae8e5011e35438046f4b1

  • SSDEEP

    12288:hoUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:R92ILECd0R15XZS3QafpDNUQ

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f9127245473fbfdab735869bce40d88.exe
    "C:\Users\Admin\AppData\Local\Temp\5f9127245473fbfdab735869bce40d88.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Users\Admin\LB9c4j3K.exe
      C:\Users\Admin\LB9c4j3K.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4896
      • C:\Users\Admin\jiizob.exe
        "C:\Users\Admin\jiizob.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1496
    • C:\Users\Admin\bshost.exe
      C:\Users\Admin\bshost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:2792
      • C:\Users\Admin\aahost.exe
        C:\Users\Admin\aahost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4892
      • C:\Users\Admin\dyhost.exe
        C:\Users\Admin\dyhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:532
      • C:\Users\Admin\ekhost.exe
        C:\Users\Admin\ekhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:392
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
          3⤵
            PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 5f9127245473fbfdab735869bce40d88.exe
          2⤵
            PID:3364
        • C:\Users\Admin\aahost.exe
          "C:\Users\Admin\aahost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4288
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          1⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:392
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          1⤵
          • Enumerates processes with tasklist
          PID:4720
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          1⤵
          • Enumerates processes with tasklist
          PID:4912

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\LB9c4j3K.exe

          Filesize

          92KB

          MD5

          5fc8235bf7463fc8dc2dbfbc5071487b

          SHA1

          e8d816dc0fb397484883c13a48208508ccf73519

          SHA256

          bd16d2f2758c6e5b79e2fe9255412c1691c0c23deeed52779fdf7a9600abf277

          SHA512

          0f78d9897584b3f4ca2629bdfad0d95830521235e933cfc780e60a6fcec6c2f4a80a1816f28aa33457ebeffbf887510e3ffc9037a1284e3a47f4e6bb88b36bdf

        • C:\Users\Admin\calc.exe

          Filesize

          764KB

          MD5

          e381b04abf596ed1573154cd41f418dc

          SHA1

          2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e

          SHA256

          02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6

          SHA512

          44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858

        • C:\Users\Admin\ekhost.exe

          Filesize

          24KB

          MD5

          9fe0e5252dc24fc1788b0d8b26026807

          SHA1

          21e3063a0fac1157b9707861048c5f7fbd070ceb

          SHA256

          9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

          SHA512

          613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

        • C:\Users\Admin\jiizob.exe

          Filesize

          92KB

          MD5

          2812aff3bc179ef18e550ea16f5af933

          SHA1

          ee409fd42b7d44eeb284fe93a3a2127c7a5cc0ed

          SHA256

          948363a98a1aa03c9c593029f6f6a54156589c4681fd88c157da9c87d2ad0f78

          SHA512

          6375096e708fff88019679bb215b074e47f58eab67fe51e9d64e4d62839534a74a05def573c47d8f8964f19fb7deaa60997d8420c1fd51279f828fa2129fbb3f

        • memory/4288-47-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/4288-52-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/4288-55-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/4288-50-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/4940-61-0x0000000000400000-0x0000000000444000-memory.dmp

          Filesize

          272KB

        • memory/4940-65-0x0000000000400000-0x0000000000444000-memory.dmp

          Filesize

          272KB

        • memory/4940-64-0x0000000002560000-0x0000000002561000-memory.dmp

          Filesize

          4KB

        • memory/4940-63-0x0000000002510000-0x0000000002554000-memory.dmp

          Filesize

          272KB

        • memory/4940-62-0x0000000000400000-0x0000000000444000-memory.dmp

          Filesize

          272KB

        • memory/4940-68-0x0000000000400000-0x0000000000444000-memory.dmp

          Filesize

          272KB

        • memory/4940-60-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/4940-59-0x0000000000400000-0x0000000000444000-memory.dmp

          Filesize

          272KB