Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 22:01

General

  • Target

    1de1cece94d95a6b74b13a8d0a204ee8.exe

  • Size

    122KB

  • MD5

    1de1cece94d95a6b74b13a8d0a204ee8

  • SHA1

    64b6b2801be37a6ab2e22bac2994f63696a15de1

  • SHA256

    4351a80a48383ae440d4c53eb347e742f32bd40e675e7b5c31c675e20778819e

  • SHA512

    5718996d3dd4f089f955dbbdf8437ea61a7f03cdeb002865bbc0da284217396bac2318f6cece9500c32964be41105806ff5ccd0cc1ba1886eb94537bb1ba936e

  • SSDEEP

    3072:a8KfDP6rX2Gsttc0pL6R830bGoHt98G4EuEQYglj5:aBDP6rmGstD16RAojuEPOlj5

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1de1cece94d95a6b74b13a8d0a204ee8.exe
    "C:\Users\Admin\AppData\Local\Temp\1de1cece94d95a6b74b13a8d0a204ee8.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im KSafeTray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    PID:4552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\wupdmgr32.dll

    Filesize

    91KB

    MD5

    b5d0839d06a10ba4c454bcd086d8fe40

    SHA1

    740e5b648dd5b84354bd698baa5ce516dc74d7b9

    SHA256

    7ee78ed05bb881a008942e858796df2d62398385f4f4b92170e0215f231cf2ad

    SHA512

    6e5b8aaf677f0362bf0edbe1a1ee54c78fb14353642854a93dc3a68e82aa7acd5ed4e56a0eca3c2f3c6f1d00303e25516277a37c8bbec671212110ed285bb366

  • \??\c:\program files\windows media player\wupdmgr32.dll

    Filesize

    46KB

    MD5

    3604b78dc1984656cf79fc0f037247e7

    SHA1

    95858a35d1f3a7c0e17a7e3460622faad952318a

    SHA256

    1d040ffff40104076138bc4234fa942689ea4ac95f0f686a6f9038edbb68e3e1

    SHA512

    d71147ce599dad9e55c0fe92a81966b23fa4b55c7f339e927af578b123ea740d7a585faffa9ac2cb1059cc2dbc6d18fe08ccbd2d6de30c1033cd69e986d3a978

  • memory/4552-5-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

  • memory/4768-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/4768-3-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB