Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
27/01/2024, 00:29
General
-
Target
78cc2004a61a5f5bd968bc7449a6e41d.exe
-
Size
1.5MB
-
MD5
78cc2004a61a5f5bd968bc7449a6e41d
-
SHA1
5d68410afdd470c5d076b6de46c3b2eeee953be1
-
SHA256
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
-
SHA512
c7cb55dcc7344b3f00f93e49eb49712bb85cb7bc4d1bc85f81b3cf1358cec9375e427fc7403c9eeb0eb715a7c4b0a08b423759d76dd12f14ab6f38c96fdf5bad
-
SSDEEP
49152:EgSqM6bpcBJT+tFgYlGiFKtFHbo1kEJwQ/oW1vAaK:Jq7v7FdEJw8oaoJ
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78cc2004a61a5f5bd968bc7449a6e41d.exe"C:\Users\Admin\AppData\Local\Temp\78cc2004a61a5f5bd968bc7449a6e41d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS432ED767\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS432ED767\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS432ED767\karotima_1.exekarotima_1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 4764⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 220 -ip 2201⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS432ED767\karotima_2.exekarotima_2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 3962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2156 -ip 21561⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5318406035645fb32402324af2fa3dfc5
SHA1bcc27dbb58e3bd5aa58fb17f17812aa5274e7cb1
SHA256e23e9cae0aff40c38ae43a4f93c30d71a9dba57bc13f0818cdd9be70aa812e44
SHA51231ef220c9022fd9cfe83a0db32eeffe68c49cf62fa0076232c34b1312ef62db716023d4a9f14e02ace195962e1abe197435567a59bd71184a9bf114d02a89ca8
-
Filesize
114KB
MD5c55bfe2bf21f4ffed7c0c1cd25642812
SHA153db2b218f46cf827ee0f5d78c45c0a90a09ae17
SHA256859b75bcb02faa71672bcd802b9f5da930a9d0909cb135837894410b5daaf25f
SHA5120b8bd665f525c8db611b1fc98937b70b8012d0f706af28e21cf870ff783ad9ad7e8051cae22afcf17f00fa9214394848ca7d067c66dd7ec5e38cb66119148f7b
-
Filesize
57KB
MD5fb557ab0cae3d82fa15361c417827dd1
SHA10cc4def5d1e6a40aeb458b9cd65e449e98df350e
SHA2564cc4e072c594be31713dfa49564c72ef7edc6cf47143a134c0a836e0731cd51c
SHA51228d2ff025ce946fb3c967dae985f926a176728bb23d671a529a1bedd12b61713e17b3c05c525972415bb40da14c97f13b229825f0f6637fe2a0ccd9e8a3ce055
-
Filesize
102KB
MD547bfa320df9625ac72fbb0bc2431f1b4
SHA1d62542b962108d65c6c68dfd4d549163b18ffffb
SHA2560957df543797ba5008466fca02b0c2157808cd6732933c6939b13f8a4e42bb7f
SHA51260ec07d2896e153c87e06a25879fbf7d435036e83061965d65d7d511d71928be327edee8c64c3c3d97baeab774ff5a17d28c10ed25e3de594d8adaefd2dd21d1
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
505KB
MD5f601f55e6b99c260aaea225474c74cb8
SHA12a1373f5cb9f117ab92d37d2334d8c2da627acb1
SHA256bd018322cd2e647d13fab7f90f52e8493ef191f7a99d88557474e73a5af24771
SHA51264a5c3d1c5cef9866e76cfa69f4da3e1175505cda6cf558368802da8504270c206feb32112600fb6f7e37a7e91b18f760901638d19a027a6f8543d2493c05e01
-
Filesize
306KB
MD5876695ef6fce8d1ffebb2b6c7a7d083c
SHA1546a9b6aa10650997afac693648dba3ab818bcb5
SHA25628c83347f88b56e0699db20bde297a2ea28ac9b5ec35751335a859c3ce64f780
SHA512cb5f53bf0ba8badfa659d048dc1f9f2f2a94728d6f1cff43351db6175664f6bed3bd303b48d8b1b00e07c68e67d400bd8e530cc8f4d1741c7939b7fd0f01c546
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
92KB
MD5fb6355641538cbd2a799e8b4f00f764a
SHA1a1d0785beae6697a96ac424165a63a1e3bdf6c4a
SHA256bec197d013755e4d2e453ea3786d7eae320f2bd4de40ca2eda8eac4cc3b7ddd8
SHA51231992a4a4316ac13a142cda404734fe12b0f7deaf533ee5bc07ffdd1869cd7b4a43d4d3fe36fbe3e9fdf91ab7356e22d43be38b13bf99726ff51619f5eb8e208
-
Filesize
57KB
MD58d2bb635530c1a854ffc5148ec6186c4
SHA1fb71e67b85be694ca0361ed49ce46870408b74ac
SHA25626f3783410ed1ad464aadace20f45240645ff4fcfb6eb8b0996798f66b433da8
SHA51266c90c9dcfafc9fa4412b954e3009e188015451febac13a868e75190ec94326e07b86fb7bbefe9fe5b41102abcf17ae3ed2e59652f00970498e85cdc784a9d32
-
Filesize
287KB
MD5525ac099d70602763bd7f9f9e8518b07
SHA1e963393e9ec19249adea507cd54c731a16227980
SHA256cc78e389c7a8fed598e312f2e150ffb8a99d9bffdfa4982bd59ae6ce7693efbf
SHA512fc4cd5120656fd80f66e689786cbcce1d9259e0bb7b37f653b5e130463f128f38c024b0e84f8561bad48d7b066dd965a9a94a7bbcb0dbecb2bc3468902293d67
-
Filesize
21KB
MD51dae65a2fe7c806b709fd184bccf0f62
SHA184fff17e45216110a0c492a493871b53b90bdf36
SHA256beb00f94f79d406beaf25ce70bbd977ea45622e21d41d4ea1faae76635d8c0b6
SHA5122c84d973c6643a482422fe9d9d786dcdf3dc96c11d4640c0ec94020211851518e8eff16701925c344248d60c4bb710b502fd7ae59c70194c978cedc1e4f5f059
-
Filesize
216KB
MD559dc54ff7d8105a3c48b2ab9b15f65cf
SHA142176449a481e23c99fd8efd49995748f4757a21
SHA256a0a44401be7248d649615108b9dd86527d61ef1a093c000dc083861c7cb21d21
SHA51264f967028109ca2bbd693efca7c60802aee3d0257c5294f401de76ced396cd694a839a9418e8207f5782bc7bdd24411670f733abae1f41b13e5f24aa4ff18864
-
Filesize
263KB
MD58deca3b08d3ef06da52a5e3142de4c2b
SHA177d41ede930a047e7183ac4a81d4a5fbbeccbd0d
SHA256ae010de6db522de0c6035b995fb8625a9aa1e68e45790894c0ff050fb102d721
SHA512d8eae020c3f1010c3e1194fa35b58e739bcb686ca722cfed4510c629d3846776bf8de1f6564e645afa381ce08e695d04c08219d1551e92a01d8b2dd1c7b5f012
-
Filesize
841KB
MD5ec65bd76a8bc4b1e7b2024c7274d4af6
SHA1c2bcb491b29694096df81abe3ab20bd737295b53
SHA2569104f49109de3ba5fdae599dbb48790a792b055b38e4613632e240adde0cd16b
SHA51244f298b98b30093a4b01cbc195cc244eb7c0125e62efb30dca83e85461f787390da8433fe5dbd5b8ec54ef7ef69ada5125fd65e8a2b2ee4ecf71134aa8b71487
-
Filesize
328KB
MD56f7f47269f92b58955a6714ddba7fcd4
SHA1e92a5ec35e1900af4849fe54da71abc939b58ab3
SHA2562c7607aeadea3ed5a9c4f6c0f25b097d5219b2ed16697cd5bd06407906098569
SHA512a04a2919ad8a21d994460c73ccd36e1694c101078126e9add60dced76b87efae2eb7f7c71f997779645fbef78c9aff8475943cc8b81e8c2830c90a695c9d4152
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
436KB
-
Filesize
436KB
-
Filesize
84KB