Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 12:15 UTC

General

  • Target

    b7610b29b6fc96eddab572de747c98c8.exe

  • Size

    60KB

  • MD5

    b7610b29b6fc96eddab572de747c98c8

  • SHA1

    327aca62c2d66dfe51f0c74005ae3dc7d4d8daf9

  • SHA256

    3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8

  • SHA512

    8ad806c24a411ed7783c73250b20aef73843eea765822f35ff1f5692e36dff9351b157cf38474bf83ebfe0391deb9e393d9adf5b78c4dff3744b67d05fbf8d1c

  • SSDEEP

    1536:uNRQcTTxRNwicE6GT0aXHTDA9Rb8CzWj1o4z:YQcVwgT0a3AXbvWj1o4

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Kills process with taskkill 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7610b29b6fc96eddab572de747c98c8.exe
    "C:\Users\Admin\AppData\Local\Temp\b7610b29b6fc96eddab572de747c98c8.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwmain.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfwmain.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwsrv.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfwsrv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwstub.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfwstub.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwproxy.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfwproxy.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B7610B~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2188
  • C:\Windows\SysWOW64\sript.exe
    C:\Windows\SysWOW64\sript.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwmain.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfwmain.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2460
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwsrv.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfwsrv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwstub.exe
      2⤵
        PID:2632
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfwstub.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im rfwproxy.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfwproxy.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2336

    Network

    • flag-us
      DNS
      yxjz.3322.org
      sript.exe
      Remote address:
      8.8.8.8:53
      Request
      yxjz.3322.org
      IN A
      Response
    • flag-us
      DNS
      yxjz.3322.org
      sript.exe
      Remote address:
      8.8.8.8:53
      Request
      yxjz.3322.org
      IN A
    No results found
    • 8.8.8.8:53
      yxjz.3322.org
      dns
      sript.exe
      118 B
      123 B
      2
      1

      DNS Request

      yxjz.3322.org

      DNS Request

      yxjz.3322.org

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\sript.exe

      Filesize

      60KB

      MD5

      b7610b29b6fc96eddab572de747c98c8

      SHA1

      327aca62c2d66dfe51f0c74005ae3dc7d4d8daf9

      SHA256

      3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8

      SHA512

      8ad806c24a411ed7783c73250b20aef73843eea765822f35ff1f5692e36dff9351b157cf38474bf83ebfe0391deb9e393d9adf5b78c4dff3744b67d05fbf8d1c

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.