Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64137976fd...67.exe

windows7-x64

1

64137976fd...67.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64137976fd7a0587476bb93f8c205350cbee593891825a7fe7fad54cca199c67.exe

  • Size

    4.6MB

  • MD5

    ec1939f3de05014dddbc18280a98581c

  • SHA1

    8cdeb9f3ff1b3f0bc28b3deff97cbe412e26ef28

  • SHA256

    64137976fd7a0587476bb93f8c205350cbee593891825a7fe7fad54cca199c67

  • SHA512

    165e299767bf2d4df05c0e96623b60aa04aecb462b64bfa1d63ef498d7d94058483a0702dcee64231136cd60af05ff8ba8399c7ea557fcd03e3ae795ee4b3b87

  • SSDEEP

    49152:Z4xxfC4DTrb/TAvO90dL3BmAFd4A64nsfJJqUgZcJYlxOEZmbcofFM+/O5JMEgAs:Z4muqUpYOcqrLhDer4Ek

Score
8/10
discoveryevasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64137976fd7a0587476bb93f8c205350cbee593891825a7fe7fad54cca199c67.exe
    "C:\Users\Admin\AppData\Local\Temp\64137976fd7a0587476bb93f8c205350cbee593891825a7fe7fad54cca199c67.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\Temp\winagent-v2.0.4.exe
      C:\Windows\Temp\winagent-v2.0.4.exe /VERYSILENT /SUPPRESSMSGBOXES
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\is-G0CIA.tmp\winagent-v2.0.4.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-G0CIA.tmp\winagent-v2.0.4.tmp" /SL5="$10003E,3350095,824832,C:\Windows\Temp\winagent-v2.0.4.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4184
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5032
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • Runs ping.exe
            PID:2796
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrpc
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3920
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrpc
              6⤵
                PID:1680
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c net stop tacticalagent
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4972
            • C:\Windows\SysWOW64\net.exe
              net stop tacticalagent
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3060
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop tacticalagent
                6⤵
                  PID:3124
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 2
                5⤵
                • Runs ping.exe
                PID:1440
              • C:\Windows\SysWOW64\net.exe
                net stop tacticalrmm
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4088
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop tacticalrmm
                  6⤵
                    PID:624
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4832
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM tacticalrmm.exe
                  5⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:220
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c sc delete tacticalagent
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1076
                • C:\Windows\SysWOW64\sc.exe
                  sc delete tacticalagent
                  5⤵
                  • Launches sc.exe
                  PID:2064
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c sc delete tacticalrpc
                4⤵
                  PID:3568
                  • C:\Windows\SysWOW64\sc.exe
                    sc delete tacticalrpc
                    5⤵
                    • Launches sc.exe
                    PID:4564
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c tacticalrmm.exe -m installsvc
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:716
                  • C:\Program Files\TacticalAgent\tacticalrmm.exe
                    tacticalrmm.exe -m installsvc
                    5⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4436
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c net start tacticalrmm
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4156
                  • C:\Windows\SysWOW64\net.exe
                    net start tacticalrmm
                    5⤵
                      PID:2660
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start tacticalrmm
                        6⤵
                          PID:2056
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.301it.com --client-id 1 --site-id 21 --agent-type workstation --auth 465d3e96d0c308ab31f34f697459ac1ce3696f3c08e7de2b426f3f254b92f7e6
                  2⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1168

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\TacticalAgent\tacticalrmm.exe
                Filesize

                8.6MB

                MD5

                187cfd0d9ad9c89d317b7a716433d306

                SHA1

                3d8a2d356731410d9a308e125cbe004ff8c3e384

                SHA256

                be7a2eb64ebd6d5a54d296d3413c4a63bda2e45d8d82da4bf6003cc33b766296

                SHA512

                ccdd6a20486d4a81b05dd53fbb3c3572675674f17fa876a90fdc44e55d9374c3ed7704673621220dc787518dfea5b73bb587ae5a7ae82ab2dbb566a696e7cccb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\is-G0CIA.tmp\winagent-v2.0.4.tmp
                Filesize

                3.0MB

                MD5

                cb1100af96fe6702f3aa30176feda149

                SHA1

                6e529982c6913f08d2e1dc1fd99ecdc1aa68e558

                SHA256

                e309b3f880871513b2b23b8fee86721f4d00af7a0fe7ea8bfd0aaa1d8ab53245

                SHA512

                0f2c845e0280a67f34b6bee748e9ec251d6a3777ad4d9e4b84957592004676d0e52529b387d55e0497f6a02d7942e18fc8689dc52a95d5f2f1b762b6473457cf

                Download Submit

              • C:\Windows\Temp\winagent-v2.0.4.exe
                Filesize

                4.0MB

                MD5

                12a13fa48c474c8bcae0ab20df02744a

                SHA1

                602befd718736d2b02f2e3654d6ce297dd9814a5

                SHA256

                39ed9811666ea44961ebc3c63fc5751a95722fb860963ba6c91b5664a3cd6bd2

                SHA512

                5eccfd8fbc8855fd9cbb887c9bb2f301c9779a3007e9c538bd0e1c09eea52cdafb470e0eedbc158cc29390b0b3a98503adc67545b492310b2a78514e91a26374

                Download Submit

              • memory/1728-8-0x0000000000401000-0x00000000004B7000-memory.dmp

                Filesize

                728KB

                Download

              • memory/1728-5-0x0000000000400000-0x00000000004D7000-memory.dmp

                Filesize

                860KB

                Download

              • memory/1728-27-0x0000000000400000-0x00000000004D7000-memory.dmp

                Filesize

                860KB

                Download

              • memory/4184-12-0x0000000000400000-0x0000000000710000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/4184-26-0x0000000000400000-0x0000000000710000-memory.dmp

                Filesize

                3.1MB

                Download