Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

586252db99...35.exe

windows7-x64

8

586252db99...35.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    586252db9974d82bdac40f0bad24e035.exe

  • Size

    28KB

  • MD5

    586252db9974d82bdac40f0bad24e035

  • SHA1

    ace366b1f030485531d391a2098942101b671fe1

  • SHA256

    7a9aeda8aef241179de9ea7aad1180f8498e68b69a1a6fd5bb9a0ee5ce750965

  • SHA512

    203c8184e8b889372eb8962ba3e2c3bc5b8733154382a4c47f95624fabf2a3e37c3c3417874636948d21f25601e0f239898733272855b0650a5f34dc5050dc92

  • SSDEEP

    768:F4o0EI24p9oYDVFy9QBfziUX+lKoObfHT5BoDP:aoI24vVN75cOL12b

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\586252db9974d82bdac40f0bad24e035.exe
    "C:\Users\Admin\AppData\Local\Temp\586252db9974d82bdac40f0bad24e035.exe"
    1⤵
    • Sets file execution options in registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Program Files\ALKS.pif
      "C:\Program Files\ALKS.pif"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c rundll32 Runt.dll,RundllTest
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 Runt.dll,RundllTest
          4⤵
          • Sets service image path in registry
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious behavior: LoadsDriver
          PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net1 start server
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\net1.exe
        net1 start server
        3⤵
          PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sc delete RavCCenter
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\sc.exe
          sc delete RavCCenter
          3⤵
          • Launches sc.exe
          PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sc delete RsRavMon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\sc.exe
          sc delete RsRavMon
          3⤵
          • Launches sc.exe
          PID:1028
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sc delete RavTask
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\sc.exe
          sc delete RavTask
          3⤵
          • Launches sc.exe
          PID:1804
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sc delete RsScanSrv
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\sc.exe
          sc delete RsScanSrv
          3⤵
          • Launches sc.exe
          PID:2308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Runt.dll
      Filesize

      7KB

      MD5

      67a39bd5018bf39f7afcebe1b4ff52ad

      SHA1

      af6714aca06dd7cd0415fb9ebcd60956e95a0db2

      SHA256

      e643ed74269304086bc72b617e0ab6368b97f07805bd6eae5e005a349b23ed98

      SHA512

      76387db26dd39499595ad7b0674f624488b01dc47c5edb1e22fa5731f43edfb5b752a9a52a6b737bee0471eb2cf07a8dd4f479fa5b26d8a8f2822bf6b214efa5

      Download Submit

    • \Program Files\ALKS.pif
      Filesize

      8KB

      MD5

      719d9731f35ca29232ef7ef22e887adc

      SHA1

      38cca1dc95cbd0d47a81afcecc3403ebc97cf377

      SHA256

      7ef11877c1f9b55c5102fec725f787261f0cfe6bfff82e706abc7e1d5a0f9b41

      SHA512

      79c2d70ccb1864db3cbd0c1ef2218a4420389c1cf20fa11b454d2680fec59a3018aff128048144f547a4601af60bb95dcf7c8d7a883b9d819ac644dba7433221

      Download Submit

    • \Users\Admin\AppData\Local\Temp\dllD6EE.tmp
      Filesize

      9KB

      MD5

      15acf079ff53fbad800c4121c6497ecb

      SHA1

      7f47b91ddfb4cc3dbfe319123de0d047dcc9fcfd

      SHA256

      f06259a419908a3e49c7abd53bb69c5a389d81706a6f1c5e50c6445d1d86eff1

      SHA512

      231514576a14e51140e815e5206a36f6836037b5cfdc37b123d445ee87ca314db09c7b30b6d7fe229d1e7bfc7cf9b39c9c27dd0e6f7a89d022c5c1b96aaae281

      Download Submit

    • memory/1300-12-0x0000000013140000-0x0000000013143000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1568-25-0x0000000013140000-0x000000001314E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1568-6-0x00000000001F0000-0x00000000001F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1568-0-0x0000000013140000-0x000000001314E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1568-13-0x00000000001F0000-0x00000000001F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1568-34-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1568-53-0x0000000013140000-0x000000001314E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1568-58-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2812-20-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2812-21-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2812-23-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

      Download