Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 01:17
Behavioral task
behavioral1
Sample
3c9fd13c8e6028d8d15ab4c21ff275b0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3c9fd13c8e6028d8d15ab4c21ff275b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
3c9fd13c8e6028d8d15ab4c21ff275b0N.exe
-
Size
21KB
-
MD5
3c9fd13c8e6028d8d15ab4c21ff275b0
-
SHA1
aa851ee9fec5a15bb9066a0577414209865d04d6
-
SHA256
4bae843a0762b39027fe464a19c0fd05277bb1595cce5e5849ab6abfb3216144
-
SHA512
c6a64a75df0d67965bc7f31b9674fd60fc2ed16374c2f43f65891e5dabf756888f8e3221cb8ea494461d918f12ba315b0a3dcebf865cb4512a893edae018f347
-
SSDEEP
384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvXFLvl0vBbM:rRkiLw3HsDSARGG/nobM
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" rmass.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{464D4544-4658-4645-464D-454446584645} rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{464D4544-4658-4645-464D-454446584645}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{464D4544-4658-4645-464D-454446584645}\IsInstalled = "1" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{464D4544-4658-4645-464D-454446584645}\StubPath = "C:\\Windows\\system32\\ahuy.exe" rmass.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rmass.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" rmass.exe -
Executes dropped EXE 2 IoCs
pid Process 2384 rmass.exe 2176 rmass.exe -
Loads dropped DLL 3 IoCs
pid Process 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe 2384 rmass.exe -
resource yara_rule behavioral1/memory/2028-0-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral1/files/0x0007000000012117-4.dat upx behavioral1/memory/2028-11-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral1/memory/2384-13-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral1/memory/2384-59-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral1/memory/2176-60-0x0000000000400000-0x0000000000411000-memory.dmp upx behavioral1/memory/2384-120-0x0000000000400000-0x0000000000411000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" rmass.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} rmass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" rmass.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ahuy.exe rmass.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL rmass.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe rmass.exe File opened for modification C:\Windows\SysWOW64\rmass.exe 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe File created C:\Windows\SysWOW64\rmass.exe 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe rmass.exe File created C:\Windows\SysWOW64\ntdbg.exe rmass.exe File opened for modification C:\Windows\SysWOW64\rmass.exe rmass.exe File created C:\Windows\SysWOW64\ahuy.exe rmass.exe File created C:\Windows\SysWOW64\RECOVER32.DLL rmass.exe File opened for modification C:\Windows\SysWOW64\aset32.exe rmass.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe rmass.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe rmass.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe rmass.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe rmass.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2384 rmass.exe 2384 rmass.exe 2384 rmass.exe 2176 rmass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe Token: SeDebugPrivilege 2384 rmass.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2384 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe 30 PID 2028 wrote to memory of 2384 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe 30 PID 2028 wrote to memory of 2384 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe 30 PID 2028 wrote to memory of 2384 2028 3c9fd13c8e6028d8d15ab4c21ff275b0N.exe 30 PID 2384 wrote to memory of 432 2384 rmass.exe 5 PID 2384 wrote to memory of 1244 2384 rmass.exe 21 PID 2384 wrote to memory of 2176 2384 rmass.exe 31 PID 2384 wrote to memory of 2176 2384 rmass.exe 31 PID 2384 wrote to memory of 2176 2384 rmass.exe 31 PID 2384 wrote to memory of 2176 2384 rmass.exe 31
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\3c9fd13c8e6028d8d15ab4c21ff275b0N.exe"C:\Users\Admin\AppData\Local\Temp\3c9fd13c8e6028d8d15ab4c21ff275b0N.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rmass.exe"C:\Windows\system32\rmass.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rmass.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD52b2c28a7a01f9584fe220ef84003427f
SHA15fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA2569e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA51239192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78
-
Filesize
23KB
MD56d9dc4d7ea6a79027ecdb289c78fee32
SHA16563650dac0eccd71a17ced89fd04f2f0aec4938
SHA256b7b1952cb15602e237f2a35906717a10c1656bc40a9a8b18498198498d7330d7
SHA512e6bf1d1a70e6c81c3ab4d252b84bf5e7c6c1eed8277be8d9cfb0ae70a006e6e80d7fda84c6e8c53d3ed8264264b1476369046d9535d2f2ca44cd66d03e08c327
-
Filesize
24KB
MD5ddbbdc03d9381768e90e3c76bd4e44d5
SHA1d668b2d8c713a8712a228b08b8ee18570cc79444
SHA2567182686c1ea71463709167921c2c4850b4e9216c113a804c70be9a979d04dbb3
SHA512090e35136ca4db3db67bc8ff9eb8d83f9347ed6c5a4bb15ac689d285df1ea4e437bd015afd0591d2fc2179c0b9f6cc5f0c12b0b285a4a8730ee2fc6bb6c72a5f
-
Filesize
21KB
MD53c9fd13c8e6028d8d15ab4c21ff275b0
SHA1aa851ee9fec5a15bb9066a0577414209865d04d6
SHA2564bae843a0762b39027fe464a19c0fd05277bb1595cce5e5849ab6abfb3216144
SHA512c6a64a75df0d67965bc7f31b9674fd60fc2ed16374c2f43f65891e5dabf756888f8e3221cb8ea494461d918f12ba315b0a3dcebf865cb4512a893edae018f347