Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 22:08

General

  • Target

    05372c03964f5518f75f4437ec3bc43e.exe

  • Size

    24KB

  • MD5

    05372c03964f5518f75f4437ec3bc43e

  • SHA1

    125b39aeea6cf86b83b33749df1ed87a12ea87d8

  • SHA256

    34ae2caccb715a14cf00fb02408129b6d41866840ef506e62c27bd74e3463a76

  • SHA512

    96cb061a13099f996d9110337fd4643f58db009d0cff584a8368f1bcdff4299f6f0161583718f4320371db57be6aad44af8a395d8516be0fd67b2a38e247a938

  • SSDEEP

    768:S6X7x2WJl0hDdwyTY/9fqaUoKWjdwD33e9XtvWsrAF:S6l2W/0hDCiwysKWj99/a

Score
1/10

Malware Config

Signatures

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05372c03964f5518f75f4437ec3bc43e.exe
    "C:\Users\Admin\AppData\Local\Temp\05372c03964f5518f75f4437ec3bc43e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop KWhatchsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\SysWOW64\net.exe
        net stop KWhatchsvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop KWhatchsvc
          4⤵
            PID:2124
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c net stop "Norton AntiVirus Server"
        2⤵
          PID:3848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c net stop "McAfee Framework ·þÎñ"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4860
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c net stop KPfwSvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4752
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c net stop McShield
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2568
        • C:\Windows\SysWOW64\360safe.pif
          C:\Windows\system32\360safe.pif
          2⤵
            PID:2740
          • C:\Windows\SysWOW64\cacls.exe
            "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
            2⤵
              PID:2268
            • C:\Windows\SysWOW64\cacls.exe
              "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
              2⤵
                PID:4612
              • C:\Windows\SysWOW64\cacls.exe
                "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
                2⤵
                  PID:2176
                • C:\Windows\SysWOW64\cacls.exe
                  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
                  2⤵
                    PID:1624
                  • C:\Windows\SysWOW64\cacls.exe
                    "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
                    2⤵
                      PID:216
                    • C:\Windows\SysWOW64\cacls.exe
                      "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
                      2⤵
                        PID:116
                      • C:\Windows\SysWOW64\cacls.exe
                        "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
                        2⤵
                          PID:1692
                        • C:\Windows\SysWOW64\cacls.exe
                          "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
                          2⤵
                            PID:3676
                          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                            2⤵
                              PID:4268
                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4268 CREDAT:17410 /prefetch:2
                                3⤵
                                  PID:4004
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop McShield
                              1⤵
                                PID:1336
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop KPfwSvc
                                1⤵
                                  PID:4836
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
                                  1⤵
                                    PID:3280
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop "Norton AntiVirus Server"
                                    1⤵
                                      PID:3384
                                    • C:\Windows\SysWOW64\net.exe
                                      net stop "Norton AntiVirus Server"
                                      1⤵
                                        PID:2396
                                      • C:\Windows\SysWOW64\net.exe
                                        net stop "McAfee Framework ·þÎñ"
                                        1⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2240
                                      • C:\Windows\SysWOW64\net.exe
                                        net stop KPfwSvc
                                        1⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4224
                                      • C:\Windows\SysWOW64\net.exe
                                        net stop McShield
                                        1⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:948
                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                        "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
                                        1⤵
                                          PID:332
                                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:17410 /prefetch:2
                                            2⤵
                                              PID:3908

                                          Network

                                          MITRE ATT&CK Matrix

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92707C53-1BD2-11D7-8185-5A16FF4F52D9}.dat

                                            Filesize

                                            5KB

                                            MD5

                                            cc80019b632b7885b604d4634cf75022

                                            SHA1

                                            846ef4d333513735236b1032122f7631dbf9181f

                                            SHA256

                                            f116da1dafc314cf5cd571e06e7d228d3668c360558be1d612073317d8dcc576

                                            SHA512

                                            b1b539a33984ac1e53665a15437c64ca3237f90af40a0a8fc304699c84ec94173becb25898df1816fab06b91f930d6733e2dbab6c9c83294d7be902583116d93

                                          • C:\Windows\SysWOW64\360safe.pif

                                            Filesize

                                            4KB

                                            MD5

                                            21030b4622c2d5fa072346e408c71918

                                            SHA1

                                            9687c92d5afb5a342a9afa8e34a451d8724c84bc

                                            SHA256

                                            0a115ea56b1eaa9c9f26302027dcc6f788156eae9f346fc6fe74dd877193f701

                                            SHA512

                                            915150eff3679d7cc2d7915de1bf91396b9db30716ac796b89f7d49484383a5ab1cdd815faec5b1004d438126e7f1560737b7b9f8c35efb5b3d8abf9304deda4

                                          • memory/5052-0-0x0000000013140000-0x000000001315B000-memory.dmp

                                            Filesize

                                            108KB

                                          • memory/5052-1-0x0000000002140000-0x0000000002240000-memory.dmp

                                            Filesize

                                            1024KB

                                          • memory/5052-6-0x0000000013140000-0x000000001315B000-memory.dmp

                                            Filesize

                                            108KB

                                          • memory/5052-7-0x0000000002140000-0x0000000002240000-memory.dmp

                                            Filesize

                                            1024KB