Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 11:52

General

  • Target

    179c225bcff75d26ca4577d77732f67d.exe

  • Size

    26KB

  • MD5

    179c225bcff75d26ca4577d77732f67d

  • SHA1

    5e96cf772e4143e28cdd7693319c7d0d704ea305

  • SHA256

    93d63a89c3831bd2c922accb28ce7b02ab18e92c9856eaa465c09102f4d74a96

  • SHA512

    638af6d8b499af41993536ef0a5d21cfbb929765cec9009ce7579fc53c53835b78f2f91c75281c04ad5add2db57f548ea0ff12c5cd772dc8dfbc46faba183729

  • SSDEEP

    768:cf7T23HlfKG3hT/sCWTxVsIhxN0qfFXGn:kH2Xl39EdL92n

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Sets file execution options in registry 2 TTPs 60 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\179c225bcff75d26ca4577d77732f67d.exe
    "C:\Users\Admin\AppData\Local\Temp\179c225bcff75d26ca4577d77732f67d.exe"
    1⤵
    • Sets file execution options in registry
    • Checks computer location settings
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c net stop McShield
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\net.exe
        net stop McShield
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop McShield
          4⤵
            PID:380
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c net stop KWhatchsvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\net.exe
          net stop KWhatchsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop KWhatchsvc
            4⤵
              PID:3896
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c net stop KPfwSvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4140
          • C:\Windows\SysWOW64\net.exe
            net stop KPfwSvc
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4368
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop KPfwSvc
              4⤵
                PID:2516
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net stop "Symantec AntiVirus"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3952
            • C:\Windows\SysWOW64\net.exe
              net stop "Symantec AntiVirus"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Symantec AntiVirus"
                4⤵
                  PID:2364
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net stop "Symantec AntiVirus Definition Watcher"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4960
              • C:\Windows\SysWOW64\net.exe
                net stop "Symantec AntiVirus Definition Watcher"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2676
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
                  4⤵
                    PID:4868
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net stop "McAfee Framework ·þÎñ"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2952
                • C:\Windows\SysWOW64\net.exe
                  net stop "McAfee Framework ·þÎñ"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5112
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
                    4⤵
                      PID:628
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop "Norton AntiVirus Server"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:680
                  • C:\Windows\SysWOW64\net.exe
                    net stop "Norton AntiVirus Server"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3656
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
                      4⤵
                        PID:3904
                  • C:\Windows\SysWOW64\360safe.pif
                    C:\Windows\system32\360safe.pif
                    2⤵
                    • Drops file in Drivers directory
                    • Executes dropped EXE
                    PID:3300
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
                      3⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:5024
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5024 CREDAT:17410 /prefetch:2
                        4⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:4460
                  • C:\Windows\SysWOW64\cacls.exe
                    "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
                    2⤵
                      PID:2524
                    • C:\Windows\SysWOW64\cacls.exe
                      "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
                      2⤵
                        PID:4852
                      • C:\Windows\SysWOW64\cacls.exe
                        "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
                        2⤵
                          PID:3200
                        • C:\Windows\SysWOW64\cacls.exe
                          "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
                          2⤵
                            PID:4560
                          • C:\Windows\SysWOW64\cacls.exe
                            "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
                            2⤵
                              PID:444
                            • C:\Windows\SysWOW64\cacls.exe
                              "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
                              2⤵
                                PID:3632
                              • C:\Windows\SysWOW64\cacls.exe
                                "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
                                2⤵
                                  PID:2908
                                • C:\Windows\SysWOW64\cacls.exe
                                  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
                                  2⤵
                                    PID:3896
                                  • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                    2⤵
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2708
                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:2
                                      3⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3932

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CC13FF2F-0028-11D6-BB50-7672481B3261}.dat

                                  Filesize

                                  5KB

                                  MD5

                                  7377352dd7df9e54e70914d4bc880030

                                  SHA1

                                  e48f09ff55a0485aa5ca55a6f19db23d55e7f994

                                  SHA256

                                  ee9ae655d5f7e2b3388d3eb778aa3e0bae405d6bc32898466dee7813dd266b89

                                  SHA512

                                  ddad06582d21962cceb7b3116ebf11a2f63eeb2aff42553c14796835ea1d935f945e08a9fb05f26fd3bd7e9c3c06129bce123e91072308bcb35a2a0756b58ddc

                                • C:\Windows\SysWOW64\360safe.pif

                                  Filesize

                                  4KB

                                  MD5

                                  b8f28133525c53a754c4c9b6e76f0ca6

                                  SHA1

                                  8fa6e2b123fbbefea1cf5d3af04c73a81f73f5a4

                                  SHA256

                                  56b6985ef209c84cc7015fbffd6200829f2893d4c985c9b48caaf42662553a48

                                  SHA512

                                  7e225e7c585eac3ce1a50f378fe8932601df84fbd535c32323743216e33f15cadf32e6a0cca3a00a1fe0a027cd639db3a3260a38d7775c4d2a58aa8601074a40

                                • memory/1008-0-0x0000000013140000-0x000000001315B000-memory.dmp

                                  Filesize

                                  108KB

                                • memory/1008-1-0x0000000000490000-0x0000000000491000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1008-6-0x0000000013140000-0x000000001315B000-memory.dmp

                                  Filesize

                                  108KB

                                • memory/1008-7-0x0000000000490000-0x0000000000491000-memory.dmp

                                  Filesize

                                  4KB