Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 01:13

General

  • Target

    09b4ea7dc4b3b2673f95343f88b03018.exe

  • Size

    20KB

  • MD5

    09b4ea7dc4b3b2673f95343f88b03018

  • SHA1

    76e98ed1bd23f05b16f5e1b347af7c9d464030b9

  • SHA256

    7afec4488ee587cefcfc10c3040edb80c3a94566acc4c5e32872ff7a723ad7c3

  • SHA512

    fbe05e422168656d423c4d7d4cf309987a794148431135d2150eda679d6c66ba0a1e4dc992b432baf8c9b3b250a625f9b5aa03f771e6426dda7fdead551488ea

  • SSDEEP

    384:m+WlGJGOuLcRcE/DyNBfpx1mLFDo+NMvAGwER4rZ0TtHV2WF05I:XJ9vyHIDoEWwt0TtHoWee

Score
8/10

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 34 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09b4ea7dc4b3b2673f95343f88b03018.exe
    "C:\Users\Admin\AppData\Local\Temp\09b4ea7dc4b3b2673f95343f88b03018.exe"
    1⤵
    • Sets service image path in registry
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\del.bat
      2⤵
        PID:2268
    • C:\Windows\SysWOW64\8977E857.EXE
      C:\Windows\SysWOW64\8977E857.EXE -g
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\8977E857.EXE

      Filesize

      20KB

      MD5

      09b4ea7dc4b3b2673f95343f88b03018

      SHA1

      76e98ed1bd23f05b16f5e1b347af7c9d464030b9

      SHA256

      7afec4488ee587cefcfc10c3040edb80c3a94566acc4c5e32872ff7a723ad7c3

      SHA512

      fbe05e422168656d423c4d7d4cf309987a794148431135d2150eda679d6c66ba0a1e4dc992b432baf8c9b3b250a625f9b5aa03f771e6426dda7fdead551488ea

    • C:\Windows\SysWOW64\del.bat

      Filesize

      211B

      MD5

      92a8cf5691456eb6c973e9259ffba473

      SHA1

      85373a5214dbf30c870288a680ac3ea649f728ea

      SHA256

      37d817e9e64d5043deaa80706ae1bbfb1585396e5fb9d3380e7110938be24db9

      SHA512

      27ecad831be103087f58eff901e43ca0fc74394ee7c4bfb39d5bc0ee476d35a99dc3facc4103784e0f085c2f2c64fb12e8bae1a78c85f6484569b4d3d5881d33

    • memory/4072-0-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4072-1-0x00000000005B0000-0x00000000005B1000-memory.dmp

      Filesize

      4KB

    • memory/4072-7-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4072-8-0x00000000005B0000-0x00000000005B1000-memory.dmp

      Filesize

      4KB

    • memory/4616-6-0x0000000000880000-0x00000000008C0000-memory.dmp

      Filesize

      256KB

    • memory/4616-9-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4616-10-0x0000000000880000-0x00000000008C0000-memory.dmp

      Filesize

      256KB