Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 22:15
Static task
static1
Behavioral task
behavioral1
Sample
2ef8d4c32bf741fe4e44576b2e9a5020N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2ef8d4c32bf741fe4e44576b2e9a5020N.exe
Resource
win10v2004-20240709-en
General
-
Target
2ef8d4c32bf741fe4e44576b2e9a5020N.exe
-
Size
23KB
-
MD5
2ef8d4c32bf741fe4e44576b2e9a5020
-
SHA1
6dc03a40a9251ccc48b9c55f5a7af9097eb5d18a
-
SHA256
8def991589279e0d4169042e93b79ddce953443012fbd1c572d03efb2da56d75
-
SHA512
d04530a1e30b0f1b40a4717d7770749f0237bee2ea7e423b2a9c327f0880570b3040038a05934c493ea0818f4cf7cbe077fa79c3a8a3728cbf0a477c9f51f796
-
SSDEEP
384:jIz4ClC0Y2i/WqBfroAmbpXhA7qNHh9Ro7Eh6SjUbmc0FGc+RPV8A/L51qsLVn4:jIUGC0YPBfro7AuNHlogs5bmjMd8g5wp
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" rmass.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51495642-4849-5154-5149-564248495154} rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51495642-4849-5154-5149-564248495154}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51495642-4849-5154-5149-564248495154}\IsInstalled = "1" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51495642-4849-5154-5149-564248495154}\StubPath = "C:\\Windows\\system32\\ahuy.exe" rmass.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rmass.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" rmass.exe -
Executes dropped EXE 2 IoCs
pid Process 4508 rmass.exe 628 rmass.exe -
resource yara_rule behavioral2/files/0x0009000000023443-2.dat upx behavioral2/memory/4508-4-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral2/memory/4508-48-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral2/memory/628-49-0x0000000000400000-0x0000000000411000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" rmass.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" rmass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} rmass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" rmass.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rmass.exe 2ef8d4c32bf741fe4e44576b2e9a5020N.exe File created C:\Windows\SysWOW64\rmass.exe 2ef8d4c32bf741fe4e44576b2e9a5020N.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe rmass.exe File created C:\Windows\SysWOW64\ahuy.exe rmass.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe rmass.exe File opened for modification C:\Windows\SysWOW64\aset32.exe rmass.exe File opened for modification C:\Windows\SysWOW64\rmass.exe rmass.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe rmass.exe File created C:\Windows\SysWOW64\ntdbg.exe rmass.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL rmass.exe File created C:\Windows\SysWOW64\RECOVER32.DLL rmass.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe rmass.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe rmass.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe rmass.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe rmass.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4508 rmass.exe 4508 rmass.exe 4508 rmass.exe 4508 rmass.exe 4508 rmass.exe 4508 rmass.exe 628 rmass.exe 628 rmass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4508 rmass.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1708 wrote to memory of 4508 1708 2ef8d4c32bf741fe4e44576b2e9a5020N.exe 84 PID 1708 wrote to memory of 4508 1708 2ef8d4c32bf741fe4e44576b2e9a5020N.exe 84 PID 1708 wrote to memory of 4508 1708 2ef8d4c32bf741fe4e44576b2e9a5020N.exe 84 PID 4508 wrote to memory of 628 4508 rmass.exe 85 PID 4508 wrote to memory of 628 4508 rmass.exe 85 PID 4508 wrote to memory of 628 4508 rmass.exe 85 PID 4508 wrote to memory of 616 4508 rmass.exe 5 PID 4508 wrote to memory of 3416 4508 rmass.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\2ef8d4c32bf741fe4e44576b2e9a5020N.exe"C:\Users\Admin\AppData\Local\Temp\2ef8d4c32bf741fe4e44576b2e9a5020N.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rmass.exe"C:\Windows\SysWOW64\rmass.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\rmass.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD52b2c28a7a01f9584fe220ef84003427f
SHA15fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA2569e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA51239192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78
-
Filesize
23KB
MD5107cfae1b46cd93af816691a59cf4b98
SHA1e58eecd539f9e1df0bd827e67c1a2dfbb737eb11
SHA25667bb0a2fa9ea69494e8957ade7ef73ce763b2ddb2a84c10e41ae17e322a7f39d
SHA51274152448a86dab2a2b9b2d29f2611580fdc23f1c3cf38ad798e553c5d9346bdfb530c1d0675175439d546eac03fe4643d0bb1a89b7e5725fc8ee386b04e39b57
-
Filesize
24KB
MD5328f13adbb4ef07a40d2bdc011bda629
SHA1876a5c470bd56ffa28d5b56edf6139c977f86561
SHA256117c550a032b5a0dce6bd5b87e32c571a34e94d4e34849fa7bc83753a5956948
SHA51285badb9af0b56ecdd024e4b33e47e906cd19a4d6ffd0041d41086f9805ae61e9f73492df5b6cc95be208348f5664e8495e6a75e7c09784a7fdccad844f1a1be1
-
Filesize
21KB
MD599eb92427751484be0ae1f8bcd5b6f5a
SHA1592f096d672f121d2669419b0893a6b758189f31
SHA2561d2585db65cd8d9eaca0e604f8c1db92793d624335e13bbe437411b710a1cfae
SHA5120fd0d4f850d81231747c381ac30bd02be07d0ce11f6beb675953e120aea86949a99796eac2f10427ff7526fd4f1d90dd4a8acc943295259482cc6ec415011527