Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 00:07

General

  • Target

    4cd0aa65d375f9edb94986ff5785834d.exe

  • Size

    200KB

  • MD5

    4cd0aa65d375f9edb94986ff5785834d

  • SHA1

    8c3a4811588a9281011542decd827daf028eb4f2

  • SHA256

    955d5d2bf1cd67196b174dde14c9871b37c72b08777915836cb246b86e3e68ba

  • SHA512

    07423da446e8dd68873028336a1420567a633646142ce63e7498f60ef94f36b1303c2e8a71ac126300a51a086e58e3126a54b8c2a585a07dd6f05449ac616ace

  • SSDEEP

    6144:jD/SXeNQCJXtEpIE5nVWJVErxIgldFaobgVl:iuNtJXjE5nV2VSldFaobgVl

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 3 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cd0aa65d375f9edb94986ff5785834d.exe
    "C:\Users\Admin\AppData\Local\Temp\4cd0aa65d375f9edb94986ff5785834d.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe
      "C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiii\gjcvdcsm.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3768
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiii\ygrwmhfyu.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiii\hqcoamoek.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2460
  • C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe" profile=All
    1⤵
    • Modifies Windows Firewall
    PID:1972
  • C:\Windows\SysWOW64\netsh.exe
    netsh.exe firewall add allowedprogram PROGRAM="C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe" NAME="lvideo" MODE=ENABLE PROFILE=ALL
    1⤵
    • Modifies Windows Firewall
    PID:1232
  • C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe" profile=All
    1⤵
    • Modifies Windows Firewall
    PID:4308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe

    Filesize

    200KB

    MD5

    4cd0aa65d375f9edb94986ff5785834d

    SHA1

    8c3a4811588a9281011542decd827daf028eb4f2

    SHA256

    955d5d2bf1cd67196b174dde14c9871b37c72b08777915836cb246b86e3e68ba

    SHA512

    07423da446e8dd68873028336a1420567a633646142ce63e7498f60ef94f36b1303c2e8a71ac126300a51a086e58e3126a54b8c2a585a07dd6f05449ac616ace

  • C:\Users\Admin\AppData\Local\Temp\jiii\hqcoamoek.bat

    Filesize

    200B

    MD5

    71218fe749a6d2645f91f67ca12d5c41

    SHA1

    ed7df6ca194cf382a78d70d0aa417c27ae3964ad

    SHA256

    5f34ce1b00f8eb9642de4c18085446feeec87ddefc7855315bf58c3ba65f897e

    SHA512

    c138a03bee7e7069f4ea58c80d543c01701e606c0c80e8dd7b68f96a2c633d0626d6695a306db13dce7fac0c897257ffc2af3f34465fbc6a194794eb327770f5

  • C:\Users\Admin\AppData\Local\Temp\jiii\ygrwmhfyu.bat

    Filesize

    227B

    MD5

    0d855e48b996407f8e98ededa9fcff9a

    SHA1

    b9e44e29f3980415d36628b4b39a7bd9b15f0352

    SHA256

    1239b9a2ca0ba5de7104319eb4ffba7f1bac76084c959abf2f902408cdca6113

    SHA512

    8a00c5656e3fba7e509f9987334d4b75ef7064b859e62348d203d1230fc319b5907f53651252132853f352400c3d0321a7a3f00657979263ffb235d84d131c8e