Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 13:02
Behavioral task
behavioral1
Sample
5688a22c882e60b2cd2f2cc72601757a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5688a22c882e60b2cd2f2cc72601757a.exe
Resource
win10v2004-20231215-en
General
-
Target
5688a22c882e60b2cd2f2cc72601757a.exe
-
Size
145KB
-
MD5
5688a22c882e60b2cd2f2cc72601757a
-
SHA1
444f49bf79dcdaa9a92dc62a9fe6ae3b0fe3b4fd
-
SHA256
6083316ee01a2fee563a39e1dbc12b9042ec2c0ac87ddf0b2215e33fda2e1875
-
SHA512
b709400c7f79b09a3da2f6969c4b7256cfb49dc3e42763506cf0a4ac81500d04e4fac70ad16b75ee50767ae645b97d2c39e1b591eab5df5d7c4db6a20811fc3e
-
SSDEEP
3072:f7nTa+mRUBCVIFedDNG/A88pN4s/OwEx1AK6lb9Qt:Ha+mOBCVI8dZcQqNzAr9Q
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 5688a22c882e60b2cd2f2cc72601757a.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 3 IoCs
pid Process 1552 csrss.exe 4752 csrss.exe 116 csrss.exe -
resource yara_rule behavioral2/memory/4648-0-0x0000000000030000-0x0000000000056000-memory.dmp upx behavioral2/memory/4648-1-0x0000000000030000-0x0000000000056000-memory.dmp upx behavioral2/files/0x0007000000023203-12.dat upx behavioral2/memory/1552-14-0x0000000000300000-0x0000000000326000-memory.dmp upx behavioral2/memory/4752-18-0x0000000000300000-0x0000000000326000-memory.dmp upx behavioral2/memory/1552-19-0x0000000000300000-0x0000000000326000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Data Serivce = "csrss.exe" 5688a22c882e60b2cd2f2cc72601757a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4648 set thread context of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 1552 set thread context of 116 1552 csrss.exe 120 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\csrss.exe 5688a22c882e60b2cd2f2cc72601757a.exe File opened for modification C:\Windows\csrss.exe 5688a22c882e60b2cd2f2cc72601757a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3536 4648 WerFault.exe 14 4596 1552 WerFault.exe 107 -
Runs net.exe
-
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4648 wrote to memory of 4544 4648 5688a22c882e60b2cd2f2cc72601757a.exe 91 PID 4648 wrote to memory of 4544 4648 5688a22c882e60b2cd2f2cc72601757a.exe 91 PID 4648 wrote to memory of 4544 4648 5688a22c882e60b2cd2f2cc72601757a.exe 91 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 4648 wrote to memory of 5104 4648 5688a22c882e60b2cd2f2cc72601757a.exe 101 PID 5104 wrote to memory of 1984 5104 5688a22c882e60b2cd2f2cc72601757a.exe 105 PID 5104 wrote to memory of 1984 5104 5688a22c882e60b2cd2f2cc72601757a.exe 105 PID 5104 wrote to memory of 1984 5104 5688a22c882e60b2cd2f2cc72601757a.exe 105 PID 5104 wrote to memory of 1552 5104 5688a22c882e60b2cd2f2cc72601757a.exe 107 PID 5104 wrote to memory of 1552 5104 5688a22c882e60b2cd2f2cc72601757a.exe 107 PID 5104 wrote to memory of 1552 5104 5688a22c882e60b2cd2f2cc72601757a.exe 107 PID 1984 wrote to memory of 4884 1984 cmd.exe 108 PID 1984 wrote to memory of 4884 1984 cmd.exe 108 PID 1984 wrote to memory of 4884 1984 cmd.exe 108 PID 4884 wrote to memory of 2416 4884 net.exe 109 PID 4884 wrote to memory of 2416 4884 net.exe 109 PID 4884 wrote to memory of 2416 4884 net.exe 109 PID 1552 wrote to memory of 4752 1552 csrss.exe 110 PID 1552 wrote to memory of 4752 1552 csrss.exe 110 PID 1552 wrote to memory of 4752 1552 csrss.exe 110 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 1552 wrote to memory of 116 1552 csrss.exe 120 PID 116 wrote to memory of 3224 116 csrss.exe 123 PID 116 wrote to memory of 3224 116 csrss.exe 123 PID 116 wrote to memory of 3224 116 csrss.exe 123 PID 3224 wrote to memory of 5020 3224 cmd.exe 125 PID 3224 wrote to memory of 5020 3224 cmd.exe 125 PID 3224 wrote to memory of 5020 3224 cmd.exe 125 PID 5020 wrote to memory of 1228 5020 net.exe 126 PID 5020 wrote to memory of 1228 5020 net.exe 126 PID 5020 wrote to memory of 1228 5020 net.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"2⤵PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\x.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"4⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:2416
-
-
-
-
C:\Windows\csrss.exe"C:\Windows\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\csrss.exe"C:\Windows\csrss.exe"4⤵
- Executes dropped EXE
PID:4752
-
-
C:\Windows\csrss.exe"C:\Windows\csrss.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\x.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"6⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"7⤵PID:1228
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 2524⤵
- Program crash
PID:4596
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 2682⤵
- Program crash
PID:3536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4648 -ip 46481⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1552 -ip 15521⤵PID:1952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD55688a22c882e60b2cd2f2cc72601757a
SHA1444f49bf79dcdaa9a92dc62a9fe6ae3b0fe3b4fd
SHA2566083316ee01a2fee563a39e1dbc12b9042ec2c0ac87ddf0b2215e33fda2e1875
SHA512b709400c7f79b09a3da2f6969c4b7256cfb49dc3e42763506cf0a4ac81500d04e4fac70ad16b75ee50767ae645b97d2c39e1b591eab5df5d7c4db6a20811fc3e
-
Filesize
53B
MD5e6ed7be2b9572503f07663ca6e53759f
SHA17ad80bd38f2a27e06c111b551c76ad0a0585c194
SHA256b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9
SHA512e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227