Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22/04/2024, 12:37

General

  • Target

    EPOKA V2.exe

  • Size

    349KB

  • MD5

    d046c7c32423489927bc7ecbc1864ef0

  • SHA1

    6425baebaaa91f3557e7ee19d278ee09a5643e42

  • SHA256

    66782c5ef8178fbc10751a66741548ce7ae9e6e35f1dcb3e7418f1fe04aee636

  • SHA512

    1483f647ab93ee3b82b7e57699ea2a1d14e56eafe7c6529c9860b4cb88d12f54162980a3b897b11d170c45c04814d9cf76e6d9ef8485e0922ddd7c3980d788fa

  • SSDEEP

    3072:zq6+ouCpk2mpcWJ0r+QNTBfjiRsOyXkrKzgrKzBhnQ0rrzUde6Id6x:zldk1cWQRNTBbB4x

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 52 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EPOKA V2.exe
    "C:\Users\Admin\AppData\Local\Temp\EPOKA V2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\12C6.tmp\12C7.tmp\12C8.bat "C:\Users\Admin\AppData\Local\Temp\EPOKA V2.exe""
      2⤵
      • Drops file in Drivers directory
      • Manipulates Digital Signatures
      • Drops desktop.ini file(s)
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Modifies termsrv.dll
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\system32\reg.exe
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
        3⤵
          PID:2148
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          PID:2256
        • C:\Windows\system32\reg.exe
          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
          3⤵
            PID:2340

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\12C6.tmp\12C7.tmp\12C8.bat

        Filesize

        9KB

        MD5

        8830a94d4cfbf251014b4d1c38212b56

        SHA1

        e46df32ae98f041018f962c8cc0dac04b8e79193

        SHA256

        99effffdb9f285215daab136e7348b8dbd5e6bfa1082b05a155e50dc375920b8

        SHA512

        8e8e36d0b47f80b00016f2199ab7a9df8b37e5e0f0579d3b8485a3954c2641813e18e4a2a74c7a32e1152a8dcf7fb4d28f5c6120dcf7b55c483f20e486bd9c92