Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 01:17

General

  • Target

    3c9fd13c8e6028d8d15ab4c21ff275b0N.exe

  • Size

    21KB

  • MD5

    3c9fd13c8e6028d8d15ab4c21ff275b0

  • SHA1

    aa851ee9fec5a15bb9066a0577414209865d04d6

  • SHA256

    4bae843a0762b39027fe464a19c0fd05277bb1595cce5e5849ab6abfb3216144

  • SHA512

    c6a64a75df0d67965bc7f31b9674fd60fc2ed16374c2f43f65891e5dabf756888f8e3221cb8ea494461d918f12ba315b0a3dcebf865cb4512a893edae018f347

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvXFLvl0vBbM:rRkiLw3HsDSARGG/nobM

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1244
        • C:\Users\Admin\AppData\Local\Temp\3c9fd13c8e6028d8d15ab4c21ff275b0N.exe
          "C:\Users\Admin\AppData\Local\Temp\3c9fd13c8e6028d8d15ab4c21ff275b0N.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL

        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

      • C:\Windows\SysWOW64\ahuy.exe

        Filesize

        23KB

        MD5

        6d9dc4d7ea6a79027ecdb289c78fee32

        SHA1

        6563650dac0eccd71a17ced89fd04f2f0aec4938

        SHA256

        b7b1952cb15602e237f2a35906717a10c1656bc40a9a8b18498198498d7330d7

        SHA512

        e6bf1d1a70e6c81c3ab4d252b84bf5e7c6c1eed8277be8d9cfb0ae70a006e6e80d7fda84c6e8c53d3ed8264264b1476369046d9535d2f2ca44cd66d03e08c327

      • C:\Windows\SysWOW64\ntdbg.exe

        Filesize

        24KB

        MD5

        ddbbdc03d9381768e90e3c76bd4e44d5

        SHA1

        d668b2d8c713a8712a228b08b8ee18570cc79444

        SHA256

        7182686c1ea71463709167921c2c4850b4e9216c113a804c70be9a979d04dbb3

        SHA512

        090e35136ca4db3db67bc8ff9eb8d83f9347ed6c5a4bb15ac689d285df1ea4e437bd015afd0591d2fc2179c0b9f6cc5f0c12b0b285a4a8730ee2fc6bb6c72a5f

      • \Windows\SysWOW64\rmass.exe

        Filesize

        21KB

        MD5

        3c9fd13c8e6028d8d15ab4c21ff275b0

        SHA1

        aa851ee9fec5a15bb9066a0577414209865d04d6

        SHA256

        4bae843a0762b39027fe464a19c0fd05277bb1595cce5e5849ab6abfb3216144

        SHA512

        c6a64a75df0d67965bc7f31b9674fd60fc2ed16374c2f43f65891e5dabf756888f8e3221cb8ea494461d918f12ba315b0a3dcebf865cb4512a893edae018f347

      • memory/2028-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2028-11-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2176-60-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2384-13-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2384-25-0x00000000003E0000-0x00000000003F1000-memory.dmp

        Filesize

        68KB

      • memory/2384-59-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

      • memory/2384-120-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB