Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 09:38
Static task
static1
Behavioral task
behavioral1
Sample
eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Resource
win10v2004-20240508-en
General
-
Target
eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
-
Size
2.2MB
-
MD5
d8d929c28e990ee53f77560cc5d2e899
-
SHA1
57e04b4a3daeb8ecb80dd309f97630fcc5f5e6bc
-
SHA256
eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb
-
SHA512
ffc386a78267dff5df469a7ee095651dbafbc9dd032b89653ac94f9bb17c00cc29e6bc8d970dd16f04fa94ce1f030db54e85961679777da075e6e36f27a9a5d7
-
SSDEEP
49152:WbV+QCbRquA/m2yL5zbfFiV+XenmE3/z2:WbV+5oq2VjnmV
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral2/memory/116-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x0006000000023278-8.dat UPX behavioral2/memory/2472-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/116-10-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/2184-6-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x00080000000233da-17.dat UPX behavioral2/memory/2472-24-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/4092-20-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/2184-25-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 2184 MSWDM.EXE 2472 MSWDM.EXE 468 EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE 4092 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe File opened for modification C:\Windows\dev5803.tmp eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe File opened for modification C:\Windows\dev5803.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2472 MSWDM.EXE 2472 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 116 wrote to memory of 2184 116 eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe 83 PID 116 wrote to memory of 2184 116 eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe 83 PID 116 wrote to memory of 2184 116 eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe 83 PID 116 wrote to memory of 2472 116 eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe 84 PID 116 wrote to memory of 2472 116 eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe 84 PID 116 wrote to memory of 2472 116 eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe 84 PID 2472 wrote to memory of 468 2472 MSWDM.EXE 85 PID 2472 wrote to memory of 468 2472 MSWDM.EXE 85 PID 2472 wrote to memory of 4092 2472 MSWDM.EXE 92 PID 2472 wrote to memory of 4092 2472 MSWDM.EXE 92 PID 2472 wrote to memory of 4092 2472 MSWDM.EXE 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe"C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:116 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2184
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev5803.tmp!C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE
- Executes dropped EXE
PID:468
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev5803.tmp!C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE
Filesize2.2MB
MD584bb42a11018cdc8b5e027c93271f8e1
SHA17d9ceaaf2d811cbf0e92d34230efe9f1d8f7cf65
SHA256d8237da9f6b9c81c88b45249269eae38c1547e5fe0ec199c93a486c246794137
SHA5124bb7eb1db932ef59302218585fc69c65d714e936fdf62097eb6f064f2c8da0295e9f097ebfdf84fa9b7cfd2e69900faed8074b0c137102899427445c47210ce3
-
Filesize
80KB
MD5501f727fd29030d1af7937cf02748bf1
SHA1db54ea740e13b5b7c5eae0c46ba35ee24bb63f26
SHA2568a2d9932962112f5140a01e9bd386ea41a62fd198ee15bab09441d230a2d505f
SHA51232bc9f567399b102e5230a4c4b2e4e1fe3fdb8273effb385119092d6e9961b47918336b69dfb725c9bc6e7ad2bdfdd4fc9e9492351be696bc43a721fb750de0e
-
Filesize
2.1MB
MD5b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA18e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA2567e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA5125acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18