Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12/07/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
spoofer_new.exe
Resource
win10-20240404-en
General
-
Target
spoofer_new.exe
-
Size
608KB
-
MD5
d095341534fddce28871264bed02bbf3
-
SHA1
880e3ac5a5b50fb3013373dec1df80ce3ce6c59b
-
SHA256
e807f820cfe3ea670af3b8994a31f4521cd64c0eedaaf11e96ccef100f741f2b
-
SHA512
a0fff06ae0ec3f097e7e4786df2ca7def1304f1a2e720fb994458b5a3e443e60b532866345a3b4f995a7834332174cd3711deb76f118db8e987a30fd76134910
-
SSDEEP
6144:F/KWCA3vyU4yMyCvSLPZvrIFQdGaWlMFYCAhh:F/KWH3BXLxvFdGnqFYC
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tTICIAuVBsgklIdtO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tTICIAuVBsgklIdtO" mp.exe -
Executes dropped EXE 1 IoCs
pid Process 3828 mp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3828 mp.exe 3828 mp.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3828 mp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 3828 mp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4304 wrote to memory of 784 4304 spoofer_new.exe 76 PID 4304 wrote to memory of 784 4304 spoofer_new.exe 76 PID 784 wrote to memory of 3828 784 cmd.exe 77 PID 784 wrote to memory of 3828 784 cmd.exe 77 PID 4304 wrote to memory of 4496 4304 spoofer_new.exe 78 PID 4304 wrote to memory of 4496 4304 spoofer_new.exe 78 PID 4304 wrote to memory of 2888 4304 spoofer_new.exe 79 PID 4304 wrote to memory of 2888 4304 spoofer_new.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoofer_new.exe"C:\Users\Admin\AppData\Local\Temp\spoofer_new.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\mp.exe C:\Users\dr.sys2⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\mp.exeC:\Users\mp.exe C:\Users\dr.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exit2⤵PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD525ea0a6ed15a532a21da6371f1656d5e
SHA1d0ee444918192e149d27e1eb366e33bb5de869ca
SHA256fa5eefdaf551c1c8bcd22797b2584714301cbf75b9f8fbe66f5960f6b2b1d0b3
SHA51241301663cd1cb9d5b514dbb4fd5131a9e922097f236ddbf6386ee9dbb1375b199be9c673612d07a96785e154484a21a0b2f1439fb9114f949869048acca0a5a8