Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

PPPOE095.exe

windows7-x64

7

PPPOE095.exe

windows10-2004-x64

7

使用说明.htm

windows7-x64

1

使用说明.htm

windows10-2004-x64

1

Analysis

  • max time kernel
    128s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PPPOE095.exe

  • Size

    126KB

  • MD5

    e3e3eaf898d672e48d0758e075daf0c3

  • SHA1

    384a7a741d539b887f99f2fae711037ee507cd0c

  • SHA256

    b4f5f2c6a7f2f05ec32279f623861bb5a6f7fbbac44696601d995c23e21be37f

  • SHA512

    0fdad5b535dcdd04a52070d80a94158cc8d92e282f99691e24875a420f6139e80d809f44f9f387422d4d470ce65e533ac7c3c8d8b84502436334549445e04c32

  • SSDEEP

    1536:SNsf9oCmhzvH9B646+x9/ebOOlRK/B0VSe8oN9JJGGQeHfpt05aGBe6:hZmhzPr64VenUB0VSLojJJGAHv1Gk6

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PPPOE095.exe
    "C:\Users\Admin\AppData\Local\Temp\PPPOE095.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Users\Admin\AppData\Local\Temp\RSPE5767.TMP\RASPPPOE.EXE
      RASPPPOE.EXE
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:648
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:244
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3d693f9d-91fa-3842-93f6-8f5282ab64b7}\NETPPPOE.INF" "9" "4f9efc093" "0000000000000154" "WinSta0\Default" "00000000000000E8" "208" "C:\Users\Admin\AppData\Local\Temp\RSPE5767.TMP"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RSPE5767.TMP\NETPPPOE.INF
      Filesize

      3KB

      MD5

      eee998903dad88e02eb7b194af44ea42

      SHA1

      2352d36d3a50a8cedd97670bcdc7bde703fcd62e

      SHA256

      4db87e6c6d48ecf666bd12fff65b4d56a0da52939bf68c2e0c1b4f992910f8c1

      SHA512

      e4a6c504cb5824cefe8332665d3aa158ff092eaa094c925ea094c0a05d21c6f292dc7bf97242d4e096ac4aa66b2261b8d935ad953349ea0e93bcf6d49a725cba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RSPE5767.TMP\RASPPPOE.EXE
      Filesize

      26KB

      MD5

      778102445ce21089b28ca9919c268b90

      SHA1

      2a7c65fbb43bfa6bb0972e81cda7f7fa42586559

      SHA256

      bbaa88b64e94b12386efcf7cb6346921960a174722cee40e59d97dad855ae7d2

      SHA512

      a63a77aa5f4ce83507c35724e40d12fc2b37e1be0002dda3b9f2eeec92302bd830dc222dda1b41863954ee1a237d5cfaa4446dc7fda70609ae4f361b86e6be45

      Download Submit