Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

e6de332ad7...16.exe

windows7-x64

8

e6de332ad7...16.exe

windows10-2004-x64

8

Resubmissions

13/06/2024, 06:10

240613-gxea3sxamg 8

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

  • Size

    223KB

  • MD5

    3955af54fbac1e43c945f447d92e4108

  • SHA1

    53c5552c3649619e4e8c6a907b94573f47130fa4

  • SHA256

    e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16

  • SHA512

    fa028a040a5f075296aebab7f63a59b6cbba32ee0964dfc08768396cc012ff5d861191e2478914d79d4a424c3bba110505a58b97376c44c716f0b1ea70551037

  • SSDEEP

    3072:tneBqhy5aVLOwqI8sgwoEHXfwaNUM+/ORSs5G2Ms4f6TFZbhgvbUxzJ8Y:tETlsgOfDt+/V6JQO98

Score
8/10
discoveryexecutionexploitpersistence

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in Program Files directory 5 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
    "C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\system32\icacls.exe
        icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2608
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\system32\sc.exe
        sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
        3⤵
        • Launches sc.exe
        PID:1236
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\kkxqbh.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:1976
  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    1⤵
    • Executes dropped EXE
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\wmpnetwk.exe
    Filesize

    23KB

    MD5

    90b85ffbdeead1be861d59134ea985b0

    SHA1

    55e9859aa7dba87678e7c529b571fdf6b7181339

    SHA256

    ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

    SHA512

    8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

    Download Submit

  • C:\kkxqbh.bat
    Filesize

    135B

    MD5

    44a3af72a2e7efad7f05b5b264f2b133

    SHA1

    cfd7c8451a0c6e8123328b18f96bec50d04b50ab

    SHA256

    471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4

    SHA512

    3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a

    Download Submit

  • memory/2368-0-0x000000013FCDD000-0x000000013FCDF000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2368-3-0x0000000002220000-0x000000000224C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2368-5-0x000000013FCD0000-0x000000013FD0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2368-27-0x0000000002220000-0x000000000224C000-memory.dmp

    Filesize

    176KB

    Download