Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

29dc4cae5f...9e.exe

windows7-x64

10

29dc4cae5f...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 10:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e.exe

  • Size

    22KB

  • MD5

    8c8e184c280db126e6fcfcc507aea925

  • SHA1

    aefab35127292cbe0e1d8a1a2fa7c39c9d72f2ea

  • SHA256

    29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e

  • SHA512

    eef639853fb52b011fb73dfb3af663d1a2bb11e10fe14c6fc4fbae320ee60d74fb452bbe9af4959930e616025ce213e61614147ea5ee5de466b682c42ac312f2

  • SSDEEP

    384:We4xxecfPta20La2aaX3jcMq+jsT3N/a20TPhAPhknomo7ptYcFwVc03K:We4ec/2IT3+howcltYcFwVc6K

Score
10/10
drokbkbackdoordropperpersistence

Malware Config

Signatures

  • Drokbk

    Drokbk is a custom .NET dropper and backdoor.

    dropperbackdoordrokbk
  • Drokbk payload 4 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e.exe
    "C:\Users\Admin\AppData\Local\Temp\29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" create "SessionManagerService" binpath= "c:\programdata\SoftwareDistribution\SessionService.exe" start= delayed-auto
      2⤵
      • Launches sc.exe
      PID:3604
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config "SessionManagerService" DisplayName= "Session Manager Service"
      2⤵
      • Launches sc.exe
      PID:400
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" description "SessionManagerService" "Provides Kernel Compatibility With User Session-Management Service."
      2⤵
      • Launches sc.exe
      PID:2964
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" start "SessionManagerService"
      2⤵
      • Launches sc.exe
      PID:5008
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:5096
    • \??\c:\programdata\SoftwareDistribution\SessionService.exe
      c:\programdata\SoftwareDistribution\SessionService.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3288
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4048

      Network

      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        79.121.231.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.121.231.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        1.181.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.181.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        81.40.53.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        81.40.53.23.in-addr.arpa
        IN PTR
        Response
        81.40.53.23.in-addr.arpa
        IN PTR
        a23-53-40-81deploystaticakamaitechnologiescom
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        api.github.com
        SessionService.exe
        Remote address:
        8.8.8.8:53
        Request
        api.github.com
        IN A
        Response
        api.github.com
        IN A
        20.26.156.210
      • flag-gb
        GET
        https://api.github.com/search/repositories?q=mainrepositorytogeta
        SessionService.exe
        Remote address:
        20.26.156.210:443
        Request
        GET /search/repositories?q=mainrepositorytogeta HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
        Host: api.github.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Server: GitHub.com
        Date: Wed, 10 Apr 2024 10:05:59 GMT
        Content-Type: application/json; charset=utf-8
        Cache-Control: no-cache
        Vary: Accept, Accept-Encoding, Accept, X-Requested-With
        X-GitHub-Media-Type: github.v3; format=json
        x-github-api-version-selected: 2022-11-28
        Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
        Access-Control-Allow-Origin: *
        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
        X-Frame-Options: deny
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 0
        Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
        Content-Security-Policy: default-src 'none'
        X-RateLimit-Limit: 10
        X-RateLimit-Remaining: 8
        X-RateLimit-Reset: 1712743583
        X-RateLimit-Resource: search
        X-RateLimit-Used: 2
        Accept-Ranges: bytes
        Content-Length: 73
        X-GitHub-Request-Id: C2C0:32812:FA995C:1001CA8:66166487
      • flag-us
        DNS
        210.156.26.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        210.156.26.20.in-addr.arpa
        IN PTR
        Response
      • 13.107.246.64:443
        46 B
         40 B
         1
        1
      • 20.26.156.210:443
        https://api.github.com/search/repositories?q=mainrepositorytogeta
        tls, http
        SessionService.exe
        898 B
         5.0kB
         9
        9

        HTTP Request

        GET https://api.github.com/search/repositories?q=mainrepositorytogeta

        HTTP Response

        200
      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        79.121.231.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        79.121.231.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        1.181.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        1.181.190.20.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        103.169.127.40.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        103.169.127.40.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        81.40.53.23.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        81.40.53.23.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        api.github.com
        dns
        SessionService.exe
        60 B
         76 B
         1
        1

        DNS Request

        api.github.com

        DNS Response

        20.26.156.210

      • 8.8.8.8:53
        210.156.26.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        210.156.26.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\pla
        Filesize

        11KB

        MD5

        14a0e5665a95714ff4951bd35eb73606

        SHA1

        0426f65ea5bcff9e0dc48e236bbec293380ccc43

        SHA256

        a8e18a84898f46cd88813838f5e69f05240c4853af2aee5917dcee3a3e2a5d5a

        SHA512

        fe44d9ae670eac4a39567c4ae8deee6f4205d4908c4f78d822e3bb586c0183de7d6efe4b45f14b92da77fc6c24f426a6af14a3280fd5d4a7faa34123e59a4720

        Download Submit

      • memory/2400-0-0x00000278E6390000-0x00000278E639C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2400-2-0x00007FF858AA0000-0x00007FF859561000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2400-3-0x00000278E8210000-0x00000278E8220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2400-4-0x00007FF858AA0000-0x00007FF859561000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3288-13-0x00000000001B0000-0x00000000001BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3288-12-0x0000000074960000-0x0000000075110000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3288-14-0x00000000037B0000-0x00000000037D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3288-15-0x0000000003970000-0x0000000003980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3288-17-0x0000000074960000-0x0000000075110000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3288-18-0x0000000003970000-0x0000000003980000-memory.dmp

        Filesize

        64KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.