Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    28s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 03:53

General

  • Target

    c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe

  • Size

    927KB

  • MD5

    58425a8ca9e369e82233314c75ef0139

  • SHA1

    bcb05f59c03514b0588e5da22e8fc45640bc1501

  • SHA256

    c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279

  • SHA512

    065e1553a279238ef0d4d9bcec451b4d84eb4db9f986460e318c3932b2b586ca61a3736d3062b99c86fb402ebb45b95f265e6efc26bfb2240ced54f522850f3e

  • SSDEEP

    24576:WbN+yZe0p4Ek4niOkl/A04szE87JKTvmZ:WbN+ieW4SkZP4sz9Mba

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe
    "C:\Users\Admin\AppData\Local\Temp\c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1468
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\dev4873.tmp!C:\Users\Admin\AppData\Local\Temp\c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Users\Admin\AppData\Local\Temp\C8C90743193EE35AC7C7379AA6DCFE20282150840BF3868D9EBD02B03E80F279.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    80KB

    MD5

    f953eee07963c184dd80c54fe6d036a5

    SHA1

    c09ef25a25722b434f31e2e4ae9a53a77abfdb66

    SHA256

    58fe341cf6d3034c6b660f49e9619d7c9a189f1eca079e1aac0daf062d322fba

    SHA512

    4fb4d94008673a649f59e2e1971840d066f31808490ae8939f8d0c87995b39494a513c14ea3d8ed1966b13a268b80d923103bda27ff6c1dc64be938f1437fb95

  • C:\Windows\dev4873.tmp

    Filesize

    847KB

    MD5

    c8f40f25f783a52262bdaedeb5555427

    SHA1

    e45e198607c8d7398745baa71780e3e7a2f6deca

    SHA256

    e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

    SHA512

    f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

  • memory/1136-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1136-10-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1468-11-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1468-16-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4988-12-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB