Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
2654d11f2d3ce974e432ad1c84bcd1f7.exe
Resource
win7-20231215-en
General
-
Target
2654d11f2d3ce974e432ad1c84bcd1f7.exe
-
Size
4.5MB
-
MD5
2654d11f2d3ce974e432ad1c84bcd1f7
-
SHA1
053efdc46790dd1b49e93863df59c83c39342c8f
-
SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
-
SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
SSDEEP
98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 15 IoCs
resource yara_rule behavioral2/memory/2732-2-0x0000000001720000-0x0000000002046000-memory.dmp family_glupteba behavioral2/memory/2732-3-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/2732-4-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/2732-6-0x0000000001720000-0x0000000002046000-memory.dmp family_glupteba behavioral2/memory/3192-8-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3192-17-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-20-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-21-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-28-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-29-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-30-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-31-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-32-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-33-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3704-34-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2396 netsh.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2892 schtasks.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 40 Go-http-client/1.1 HTTP User-Agent header 59 Go-http-client/1.1 HTTP User-Agent header 61 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"2⤵PID:3192
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:3620
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /51-513⤵PID:3704
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:4292
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:2396