Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 01:00

General

  • Target

    793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe

  • Size

    72KB

  • MD5

    1008ff1afaca953c864383014e893b8b

  • SHA1

    8029ebd735701d47d2985683485ba1ecd95c8466

  • SHA256

    793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d

  • SHA512

    6c600d3adeb86e935caeca2dadf408c765f545c912df128d5d2d8edc223578f1d80bb4e8bffee972ec32fe4c4fe9360d9c84b54c682036c0d6b170356a7d1254

  • SSDEEP

    1536:xk8KE3UknVTVpXd4Q2x6H5eCU8hh/Q/0ATiPGQQPWTk:Tp37VTV5d4Q2xpIhhTA5feA

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3480
        • C:\Users\Admin\AppData\Local\Temp\793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe
          "C:\Users\Admin\AppData\Local\Temp\793ca14e6064a73048791119865d1720fa8e49fca3b2f6d95733d44bb207090d.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Windows\SysWOW64\eapmitoov.exe
            "C:\Windows\SysWOW64\eapmitoov.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4376
            • C:\Windows\SysWOW64\eapmitoov.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\adcoamup-ucur.exe

        Filesize

        72KB

        MD5

        31541de674e377bd3337b074a9ebf1cc

        SHA1

        f860aa972cf27e0b647060670ae38fbd4deef370

        SHA256

        0516db09bd63c311aef2aa6c3f73a047497e9e9397d71d813ee07b23adec1473

        SHA512

        e9dfdf60473012d75296f0f4e22e53ea16f48db8ba18d56bf3ab97a4607771bc9e8cd7a0c11bf93f187cc856e79e4b29d993c4c92f9b48a2dccf258f9add7c50

      • C:\Windows\SysWOW64\eapmitoov.exe

        Filesize

        70KB

        MD5

        2122eda14a9acdc2119416bd50d0d025

        SHA1

        8e313b3068df73c3cb6e6179c509f6a35759dfa2

        SHA256

        f205797e8d32166ecf79b01cc4d4b977bc33e79097fdcb119073cb906d3a2c3c

        SHA512

        4d8229cef4df127f7c37e3e82aeaecb3a6b63cff23f0599b17c819eac357b42f9e41bd004724e5b089c102b6a6eeda94354352759c2dee9c9449f91d395468a3

      • C:\Windows\SysWOW64\egdookag-oucooc.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\itvemoab-ifeas.exe

        Filesize

        73KB

        MD5

        c170204944fb21bb63d634d9bfe1605f

        SHA1

        8835842b8d3d2652164337fa47d519accb7fc4a1

        SHA256

        a62c64a210bd28cf2c17f6b7cb706c9c687d6d1574db496500d535fc16e85dc6

        SHA512

        6b346973b723ca333edd4e9a982bf4d471d9709037fbc090de65d0bca3dc211c47144cda779de722921e64fd0c2f214bdd1e9821dc44cbbb2a75a1c9b2a2e51c

      • memory/1200-3-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/4376-47-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4644-48-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB