Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 22:15

General

  • Target

    2ef8d4c32bf741fe4e44576b2e9a5020N.exe

  • Size

    23KB

  • MD5

    2ef8d4c32bf741fe4e44576b2e9a5020

  • SHA1

    6dc03a40a9251ccc48b9c55f5a7af9097eb5d18a

  • SHA256

    8def991589279e0d4169042e93b79ddce953443012fbd1c572d03efb2da56d75

  • SHA512

    d04530a1e30b0f1b40a4717d7770749f0237bee2ea7e423b2a9c327f0880570b3040038a05934c493ea0818f4cf7cbe077fa79c3a8a3728cbf0a477c9f51f796

  • SSDEEP

    384:jIz4ClC0Y2i/WqBfroAmbpXhA7qNHh9Ro7Eh6SjUbmc0FGc+RPV8A/L51qsLVn4:jIUGC0YPBfro7AuNHlogs5bmjMd8g5wp

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3416
        • C:\Users\Admin\AppData\Local\Temp\2ef8d4c32bf741fe4e44576b2e9a5020N.exe
          "C:\Users\Admin\AppData\Local\Temp\2ef8d4c32bf741fe4e44576b2e9a5020N.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\SysWOW64\rmass.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4508
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:628

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL

        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

      • C:\Windows\SysWOW64\ahuy.exe

        Filesize

        23KB

        MD5

        107cfae1b46cd93af816691a59cf4b98

        SHA1

        e58eecd539f9e1df0bd827e67c1a2dfbb737eb11

        SHA256

        67bb0a2fa9ea69494e8957ade7ef73ce763b2ddb2a84c10e41ae17e322a7f39d

        SHA512

        74152448a86dab2a2b9b2d29f2611580fdc23f1c3cf38ad798e553c5d9346bdfb530c1d0675175439d546eac03fe4643d0bb1a89b7e5725fc8ee386b04e39b57

      • C:\Windows\SysWOW64\ntdbg.exe

        Filesize

        24KB

        MD5

        328f13adbb4ef07a40d2bdc011bda629

        SHA1

        876a5c470bd56ffa28d5b56edf6139c977f86561

        SHA256

        117c550a032b5a0dce6bd5b87e32c571a34e94d4e34849fa7bc83753a5956948

        SHA512

        85badb9af0b56ecdd024e4b33e47e906cd19a4d6ffd0041d41086f9805ae61e9f73492df5b6cc95be208348f5664e8495e6a75e7c09784a7fdccad844f1a1be1

      • C:\Windows\SysWOW64\rmass.exe

        Filesize

        21KB

        MD5

        99eb92427751484be0ae1f8bcd5b6f5a

        SHA1

        592f096d672f121d2669419b0893a6b758189f31

        SHA256

        1d2585db65cd8d9eaca0e604f8c1db92793d624335e13bbe437411b710a1cfae

        SHA512

        0fd0d4f850d81231747c381ac30bd02be07d0ce11f6beb675953e120aea86949a99796eac2f10427ff7526fd4f1d90dd4a8acc943295259482cc6ec415011527

      • memory/628-49-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/1708-3-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/4508-4-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/4508-48-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB