Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Client.exe

windows10-1703-x64

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    180s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/05/2024, 14:56

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    810KB

  • MD5

    7416c42376748e343b61dbc60060cb16

  • SHA1

    9201b783cfb62f0cd0339dac282ad20d8ab80abb

  • SHA256

    00950af31769cedb6810c25600d5dd9f63aada87f865c639bf8dd3e4e44c36e0

  • SHA512

    7c5f0ecb6839519de481e9614dfa59e2b2bc625947697f3dca17be670d428419d6f64ff15db2a36d1663c092e01a5a2950a24fc3761622b713486c3e0bb11592

  • SSDEEP

    12288:kRZses+4ck4ppR4LrG3O4rx67/GkTS8O6:UNp4cZKrGtkT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1416
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:4680
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3aec055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\MergeUninstall.cfg - Shortcut.lnk
      Filesize

      546B

      MD5

      9836c433b0157a880e33ac5f2d4dabcd

      SHA1

      3ef9605bd8e7c0720b0a66a60ddb2adc4fb3d1cc

      SHA256

      3603c03d655c6f25f971e01c04869c52eb2502dbc654e247aae97eb1ac47181c

      SHA512

      59d8423a9ec6cd49aa8ae505712839bce17a5fe4ab02ee995cc036e4e58436aa98eb86b3b0125671154b3a56a18bacff8cb5218b63ff0d03843afb430a595f12

      Download Submit

    • memory/1416-33-0x000000001B730000-0x000000001B7A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1416-129-0x00007FFB35280000-0x00007FFB35C6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1416-0-0x00007FFB35283000-0x00007FFB35284000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1416-34-0x0000000000B00000-0x0000000000B0C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1416-35-0x00000000025B0000-0x00000000025CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1416-62-0x000000001C580000-0x000000001C6C6000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1416-63-0x00007FFB35283000-0x00007FFB35284000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1416-32-0x00007FFB35280000-0x00007FFB35C6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1416-1-0x0000000000340000-0x0000000000410000-memory.dmp

      Filesize

      832KB

      Download

    • memory/1416-290-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1416-347-0x00007FFB35280000-0x00007FFB35C6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1416-452-0x00007FFB35280000-0x00007FFB35C6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1416-635-0x0000000000010000-0x0000000000022000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1416-701-0x00007FFB35280000-0x00007FFB35C6C000-memory.dmp

      Filesize

      9.9MB

      Download