Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

95e53155e0...f3.exe

windows7-x64

10

95e53155e0...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95e53155e00b9c37b1add3c88e16a0f3.exe

  • Size

    30KB

  • MD5

    95e53155e00b9c37b1add3c88e16a0f3

  • SHA1

    c3516fbeca07759176840c9df604501e8ec4b56e

  • SHA256

    7e82ee52b7778275e521c319d3aeb9d8040dbf01ba1a692c7bb09769f7be8442

  • SHA512

    0d9950407bb02d303fdfc0219128c77c8eb07cae6b744ebb6b8d81b493ac4439d0b69afb23479292cc7a734b8dad9cc8292582ba6c73bc40cd0c262c970dfc0e

  • SSDEEP

    384://cx2DN0MCLP4TLpxxklqd8ukQ379EGR7l1j8OWntErWyc7sESVacoLUicM4W51D:hF4ArxCM98CvVaZUPMzr

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\95e53155e00b9c37b1add3c88e16a0f3.exe
    "C:\Users\Admin\AppData\Local\Temp\95e53155e00b9c37b1add3c88e16a0f3.exe"
    1⤵
    • UAC bypass
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1216
    • C:\ProgramData\wscntfy.exe
      "C:\ProgramData\wscntfy.exe"
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2864
      • C:\Windows\SysWOW64\netsh.exe
        "netsh.exe" firewall add allowedprogram program="C:\ProgramData\wscntfy.exe" name="Windows-Audio Driver" mode=ENABLE scope=ALL profile=ALL
        3⤵
        • Modifies Windows Firewall
        PID:2956
    • C:\Program Files (x86)\Common Files\lsmass.exe
      "C:\Program Files (x86)\Common Files\lsmass.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wscntfy.exe
    Filesize

    30KB

    MD5

    95e53155e00b9c37b1add3c88e16a0f3

    SHA1

    c3516fbeca07759176840c9df604501e8ec4b56e

    SHA256

    7e82ee52b7778275e521c319d3aeb9d8040dbf01ba1a692c7bb09769f7be8442

    SHA512

    0d9950407bb02d303fdfc0219128c77c8eb07cae6b744ebb6b8d81b493ac4439d0b69afb23479292cc7a734b8dad9cc8292582ba6c73bc40cd0c262c970dfc0e

    Download Submit

  • memory/1216-0-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1216-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1216-2-0x00000000003B0000-0x00000000003F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1216-26-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1996-28-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2864-27-0x0000000000320000-0x0000000000360000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2864-25-0x0000000073FF0000-0x000000007459B000-memory.dmp

    Filesize

    5.7MB

    Download