Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

56392089cb...aa.exe

windows7-x64

10

56392089cb...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2024, 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56392089cbf8187636317ab83a2c12aa.exe

  • Size

    15KB

  • MD5

    56392089cbf8187636317ab83a2c12aa

  • SHA1

    29dde0eba73888ebdb049278829862be70d2dc1e

  • SHA256

    d3c5dfc940753fc819ace0c55216442a7cb090fec27e856071da176efdbc87c0

  • SHA512

    fb6e9b85d4067d109cec37546c545e1dbac29d528912b2189b368e663fd4ad66b2f5dc34e117ef53cfc3674e8bcae8a1e4a4282ced9664f261b5ac967793472b

  • SSDEEP

    384:AERvojPXWhimbGz7RyaWtugEzCkLAExM842:LRksghxMN

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56392089cbf8187636317ab83a2c12aa.exe
    "C:\Users\Admin\AppData\Local\Temp\56392089cbf8187636317ab83a2c12aa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c copy "C:\Users\Admin\AppData\Local\Temp\56392089cbf8187636317ab83a2c12aa.exe" "C:\Windows\csrss.exe"
      2⤵
      • Drops file in Windows directory
      PID:4696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c delme.bat
      2⤵
        PID:5036
      • C:\Windows\csrss.exe
        C:\Windows\csrss.exe
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        PID:4120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\delme.bat
      Filesize

      193B

      MD5

      6725fd93b31835314e18db0a923086e8

      SHA1

      bfcd0336a837d11cd6498a55d8dba9c7101ccdf4

      SHA256

      c3982255b179846faa9b1ab0d186c9eea0594a61edb5618c6641531ecf88fe4c

      SHA512

      c262af8ed1dae0139afff2fc276b974aeb1f429bf1a454d66af8a2ed2f06a0cae1ef5ea50ccb5e42dc93c182cc2718223378045a703befe96092a2fe2ffbe744

      Download Submit

    • C:\Windows\csrss.exe
      Filesize

      15KB

      MD5

      56392089cbf8187636317ab83a2c12aa

      SHA1

      29dde0eba73888ebdb049278829862be70d2dc1e

      SHA256

      d3c5dfc940753fc819ace0c55216442a7cb090fec27e856071da176efdbc87c0

      SHA512

      fb6e9b85d4067d109cec37546c545e1dbac29d528912b2189b368e663fd4ad66b2f5dc34e117ef53cfc3674e8bcae8a1e4a4282ced9664f261b5ac967793472b

      Download Submit

    • memory/1648-7-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-14-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-10-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-11-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-12-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-13-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-9-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-15-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-16-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-17-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-18-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-19-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-20-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4120-21-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download