Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

5688a22c88...7a.exe

windows7-x64

10

5688a22c88...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2024, 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5688a22c882e60b2cd2f2cc72601757a.exe

  • Size

    145KB

  • MD5

    5688a22c882e60b2cd2f2cc72601757a

  • SHA1

    444f49bf79dcdaa9a92dc62a9fe6ae3b0fe3b4fd

  • SHA256

    6083316ee01a2fee563a39e1dbc12b9042ec2c0ac87ddf0b2215e33fda2e1875

  • SHA512

    b709400c7f79b09a3da2f6969c4b7256cfb49dc3e42763506cf0a4ac81500d04e4fac70ad16b75ee50767ae645b97d2c39e1b591eab5df5d7c4db6a20811fc3e

  • SSDEEP

    3072:f7nTa+mRUBCVIFedDNG/A88pN4s/OwEx1AK6lb9Qt:Ha+mOBCVI8dZcQqNzAr9Q

Score
10/10
metasploitbackdoorpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe
    "C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe
      "C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"
      2⤵
        PID:4544
      • C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe
        "C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\x.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1984
          • C:\Windows\SysWOW64\net.exe
            net stop "Security Center"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4884
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              5⤵
                PID:2416
          • C:\Windows\csrss.exe
            "C:\Windows\csrss.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1552
            • C:\Windows\csrss.exe
              "C:\Windows\csrss.exe"
              4⤵
              • Executes dropped EXE
              PID:4752
            • C:\Windows\csrss.exe
              "C:\Windows\csrss.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:116
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\x.bat" "
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3224
                • C:\Windows\SysWOW64\net.exe
                  net stop "Security Center"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5020
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Security Center"
                    7⤵
                      PID:1228
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 252
                4⤵
                • Program crash
                PID:4596
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 268
            2⤵
            • Program crash
            PID:3536
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4648 -ip 4648
          1⤵
            PID:3932
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1552 -ip 1552
            1⤵
              PID:1952

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\csrss.exe
              Filesize

              145KB

              MD5

              5688a22c882e60b2cd2f2cc72601757a

              SHA1

              444f49bf79dcdaa9a92dc62a9fe6ae3b0fe3b4fd

              SHA256

              6083316ee01a2fee563a39e1dbc12b9042ec2c0ac87ddf0b2215e33fda2e1875

              SHA512

              b709400c7f79b09a3da2f6969c4b7256cfb49dc3e42763506cf0a4ac81500d04e4fac70ad16b75ee50767ae645b97d2c39e1b591eab5df5d7c4db6a20811fc3e

              Download Submit

            • C:\x.bat
              Filesize

              53B

              MD5

              e6ed7be2b9572503f07663ca6e53759f

              SHA1

              7ad80bd38f2a27e06c111b551c76ad0a0585c194

              SHA256

              b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9

              SHA512

              e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227

              Download Submit

            • memory/116-31-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/116-29-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/116-25-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/1552-14-0x0000000000300000-0x0000000000326000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1552-19-0x0000000000300000-0x0000000000326000-memory.dmp

              Filesize

              152KB

              Download

            • memory/4648-0-0x0000000000030000-0x0000000000056000-memory.dmp

              Filesize

              152KB

              Download

            • memory/4648-1-0x0000000000030000-0x0000000000056000-memory.dmp

              Filesize

              152KB

              Download

            • memory/4752-18-0x0000000000300000-0x0000000000326000-memory.dmp

              Filesize

              152KB

              Download

            • memory/4752-20-0x0000000000300000-0x0000000000326000-memory.dmp

              Filesize

              152KB

              Download

            • memory/5104-15-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/5104-5-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/5104-4-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/5104-2-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download