Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:40
Static task
static1
Behavioral task
behavioral1
Sample
0367b08d1b72bd3d0fdca7de187b9dc6.exe
Resource
win7-20231215-en
General
-
Target
0367b08d1b72bd3d0fdca7de187b9dc6.exe
-
Size
4.4MB
-
MD5
0367b08d1b72bd3d0fdca7de187b9dc6
-
SHA1
8fb04d525032edd7cabaf50af9f493ee04c58a48
-
SHA256
a951b0a48877f40e9630d1a4a8f5f37f8b376800e185d4c70e241917249cf48e
-
SHA512
14d03cf0d3564a1337fca87c16ad1df08687c5daa431f406dc1492d00a0985333fd1f59e3c521b67211c7f25af60b417042ca88e3b436ffe4ebc4ab566af44f6
-
SSDEEP
98304:8Iu065i558It90eELh3/9QAtK6QqASVUFhm7aRVpAvHfWK1kIqKlbSs5tT1gArJR:c0ui558I8eyh3VVCqARFhGO+OsoKnJdb
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 12 IoCs
resource yara_rule behavioral2/memory/3284-2-0x00000000049E0000-0x0000000005306000-memory.dmp family_glupteba behavioral2/memory/3284-3-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/3664-6-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/3664-7-0x0000000004920000-0x0000000005246000-memory.dmp family_glupteba behavioral2/memory/3284-8-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/3664-17-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/4944-20-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/4944-21-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/4944-28-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/4944-29-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/4944-30-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba behavioral2/memory/4944-31-0x0000000000400000-0x00000000027D9000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4816 netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3740 3284 WerFault.exe 15 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4740 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 28 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"2⤵PID:3664
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4444
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4816
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /124-1243⤵PID:4944
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:5044
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 9162⤵
- Program crash
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3284 -ip 32841⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ab69c4c4f2a4cb1639193eda360e9b02
SHA1f64bf39052207a29696c08187c3f93926f1325e5
SHA256720f92eea10156eff606fb38ca1c77ec386674851e98756a3a2e116b7103c616
SHA512e0f0604ee712f4182d2015a653eaca9964e952f9010abf81b7408536fcba84d4cf5b39c11f76d3a01c73d22084b7d54f201d44b3cb04935f48f0fb2d1ae5bb7d