Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
69ea6c1bae15f0e9a51c6d7645b92119.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
69ea6c1bae15f0e9a51c6d7645b92119.exe
Resource
win10v2004-20231215-en
General
-
Target
69ea6c1bae15f0e9a51c6d7645b92119.exe
-
Size
13.0MB
-
MD5
69ea6c1bae15f0e9a51c6d7645b92119
-
SHA1
889d92a7c1728764aaa5d54cc134a113647f16b4
-
SHA256
072ff816b2373bd6ab07298e3653d98c84b6a897ef17fc8002873edd9dff7e2e
-
SHA512
51688cea0e7b75febda3617850401ae1813603fc543d96c67adb7ea08c5f470192dd25086ab8a30087dc32356171b6c8e5d48c3aaaefc80402826e33a376505c
-
SSDEEP
24576:bgdy5yNM4444444444444444444444444444444444444444444444444444444g:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4980 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1564 sc.exe 2648 sc.exe 1996 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2220 4180 WerFault.exe 16 4596 4528 WerFault.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ea6c1bae15f0e9a51c6d7645b92119.exe"C:\Users\Admin\AppData\Local\Temp\69ea6c1bae15f0e9a51c6d7645b92119.exe"1⤵PID:4180
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xnlszln\2⤵PID:4720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ddwjvsrt.exe" C:\Windows\SysWOW64\xnlszln\2⤵PID:2208
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xnlszln binPath= "C:\Windows\SysWOW64\xnlszln\ddwjvsrt.exe /d\"C:\Users\Admin\AppData\Local\Temp\69ea6c1bae15f0e9a51c6d7645b92119.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1564
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xnlszln "wifi internet conection"2⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xnlszln2⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 12282⤵
- Program crash
PID:2220
-
-
C:\Windows\SysWOW64\xnlszln\ddwjvsrt.exeC:\Windows\SysWOW64\xnlszln\ddwjvsrt.exe /d"C:\Users\Admin\AppData\Local\Temp\69ea6c1bae15f0e9a51c6d7645b92119.exe"1⤵PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 5122⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4180 -ip 41801⤵PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4528 -ip 45281⤵PID:4380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5edcb268f9fefdd9145ae3b85ec74b5b4
SHA1b211fc605bf72b8c196fa8ae6e4b45de1f9e29a2
SHA256b2355d70b2c747c7ae0845a4654e89b3e8a32af9f134cbfcb00e1f4be9c99538
SHA512ea5486a0050398058085418fa02c1ab0cac21945b19350f084a872b6502ee9e8ce68004b74e272bb9b40938085ca63c869556525f5702ceafc5c93b64888d300