Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
7345e92b8c434600003f1440d40b5569.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7345e92b8c434600003f1440d40b5569.exe
Resource
win10v2004-20231215-en
General
-
Target
7345e92b8c434600003f1440d40b5569.exe
-
Size
71KB
-
MD5
7345e92b8c434600003f1440d40b5569
-
SHA1
f7ea424eab6519bf070d79e4286d526171d4e50c
-
SHA256
ad45617ba5cad264fba8428616d3a7ea425828119b9b65586c5755e95eb5bb78
-
SHA512
4af953262d4f5b4b91cae27aa6d30af1fd4452c48c5daa86ef2192184176868834a2a096c5609d4d6e4816bbead619b6d079a6af32587f96c22e5fb53214432d
-
SSDEEP
1536:aGW7+MJFBwiJDALEnfUXsIOKPSkN68gzUGGT6SVKPnRBuT0KcAyjN:aGc+MJFOZmMX2ijVgzUGGTh+RB+0vN
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4996 7345e92b8c434600003f1440d40b5569.exe 2520 rundll32.exe -
resource yara_rule behavioral2/memory/4996-2-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/4996-3-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/4996-4-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/4996-11-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/4996-12-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/4996-15-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/2520-34-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/2520-35-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/2520-36-0x0000000010000000-0x0000000010014000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\vtUkhgfD.dll,#1" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vtUkhgfD.dll 7345e92b8c434600003f1440d40b5569.exe File opened for modification C:\Windows\SysWOW64\awtustsp.dll 7345e92b8c434600003f1440d40b5569.exe File created C:\Windows\SysWOW64\awtustsp.dll 7345e92b8c434600003f1440d40b5569.exe File created C:\Windows\SysWOW64\vtUkhgfD.dll 7345e92b8c434600003f1440d40b5569.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD417378-F411-4B77-BBEE-4893BB670D4C} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD417378-F411-4B77-BBEE-4893BB670D4C}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD417378-F411-4B77-BBEE-4893BB670D4C}\InprocServer32\ = "C:\\Windows\\SysWow64\\vtUkhgfD.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD417378-F411-4B77-BBEE-4893BB670D4C}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4996 7345e92b8c434600003f1440d40b5569.exe 4996 7345e92b8c434600003f1440d40b5569.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4996 7345e92b8c434600003f1440d40b5569.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4996 7345e92b8c434600003f1440d40b5569.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4996 wrote to memory of 612 4996 7345e92b8c434600003f1440d40b5569.exe 3 PID 4996 wrote to memory of 2520 4996 7345e92b8c434600003f1440d40b5569.exe 95 PID 4996 wrote to memory of 2520 4996 7345e92b8c434600003f1440d40b5569.exe 95 PID 4996 wrote to memory of 2520 4996 7345e92b8c434600003f1440d40b5569.exe 95 PID 4996 wrote to memory of 2408 4996 7345e92b8c434600003f1440d40b5569.exe 96 PID 4996 wrote to memory of 2408 4996 7345e92b8c434600003f1440d40b5569.exe 96 PID 4996 wrote to memory of 2408 4996 7345e92b8c434600003f1440d40b5569.exe 96
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\7345e92b8c434600003f1440d40b5569.exe"C:\Users\Admin\AppData\Local\Temp\7345e92b8c434600003f1440d40b5569.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\vtUkhgfD.dll,a2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\7345e92b8c434600003f1440d40b5569.exe"2⤵PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43B
MD59a7ef09167a6f4433681b94351509043
SHA1259b1375ed8e84943ca1d42646bb416325c89e12
SHA256d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7
SHA51296b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df
-
Filesize
43KB
MD502a2b1e9f7551ee28b40224ddb628086
SHA12869a7dcfed1c4a0b35e4c9a3aa8136933674068
SHA25604781942f4f8e6db2f714bea9c89eace7e86653f8ac29908a95d13bccdd0099f
SHA51274b182e2850db9b22d018eb9ff3352b8bb3c1996781e7338e26ce71ee7a5fd6a981fbca63a607520977e65e12cda6fef5f6a3187016af44bfb0a700cd25104e3