Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 16:21

General

  • Target

    bc41ca8b28cefbef19913892893b6fdc.exe

  • Size

    24KB

  • MD5

    bc41ca8b28cefbef19913892893b6fdc

  • SHA1

    7873b97f271893da5977b7033e1d1ffca194e682

  • SHA256

    dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e

  • SHA512

    72a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627

  • SSDEEP

    384:Hw8s6S7GEsv9pWDeAFBis/QhGvsFTM9/7/qI0RSojYE0W:Hw8QGEM8DeA7i+QhGvsFgiI0RS

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe
    "C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\systxm32\svchost.exe
      C:\Windows\systxm32\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 308
        3⤵
        • Program crash
        PID:2644
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\install.inf
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\Windows\SysWOW64\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
            PID:3728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "" .bat""
        2⤵
          PID:4052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3532 -ip 3532
        1⤵
          PID:2552
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:2984
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1572

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ .bat

            Filesize

            2KB

            MD5

            397d0c0d2ee36edc74904235108f9660

            SHA1

            edf4e335ed9a649f83a76012bd232f285fd843c2

            SHA256

            9303dc9d19cea525ef0aa2b431b2fd642da1d9d64555ebbd7d52c49f7e1c5a02

            SHA512

            5a560ede526be84a15618fab61147b162535195b2caceee78bd9c8100d5ff8f96cf0cbe0ac21db2d42663376ed4849ea3d0a4927065bea8ff97079b87821ccae

          • C:\Windows\install.inf

            Filesize

            2KB

            MD5

            9716ebac351c551a7e64d6f819ffd8b5

            SHA1

            9cdf8d7f0e5bd93138df1e2c920e73c2472d3ae6

            SHA256

            0a36fcbaae3f4af6b4e087b0e1ec5cdf129b7e6c8c6703a5b6c1dc56082cbfec

            SHA512

            c3db55880764af3fc9dd8de37af456919ab9f123753c68e4b48cbe410cbbd2d12f05ca241ca41f7b053602c2d01f40e77c5242d90413a3ec134967e023b02faa

          • C:\Windows\systxm32\svchost.exe

            Filesize

            24KB

            MD5

            bc41ca8b28cefbef19913892893b6fdc

            SHA1

            7873b97f271893da5977b7033e1d1ffca194e682

            SHA256

            dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e

            SHA512

            72a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627

          • memory/1572-22-0x0000023067A70000-0x0000023067A80000-memory.dmp

            Filesize

            64KB

          • memory/1572-38-0x0000023067B70000-0x0000023067B80000-memory.dmp

            Filesize

            64KB

          • memory/1572-54-0x000002306FEE0000-0x000002306FEE1000-memory.dmp

            Filesize

            4KB

          • memory/1572-56-0x000002306FF10000-0x000002306FF11000-memory.dmp

            Filesize

            4KB

          • memory/1572-57-0x000002306FF10000-0x000002306FF11000-memory.dmp

            Filesize

            4KB

          • memory/1572-58-0x0000023070020000-0x0000023070021000-memory.dmp

            Filesize

            4KB