Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

9abedfec68...0N.exe

windows7-x64

8

9abedfec68...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9abedfec687db7a9273e5e9157af74e0N.exe

  • Size

    81KB

  • MD5

    9abedfec687db7a9273e5e9157af74e0

  • SHA1

    1d79bd8bef8703f1f3b3031d83cb50a23964133e

  • SHA256

    95ffed6888dde882a053f5498ad9d4f0feb1b49bfc22ce934c3c76593f1e514d

  • SHA512

    c9bb28a50aaecef0f2e010216591d9771a2c6689b6a8c40a43e7e52b2385961ab229e7eeda180411cde289dac83e69a77923f8c27a87b7af77319b140da71ceb

  • SSDEEP

    1536:6LxJJlguY/NbvWU2VkWlVvtlqDyKJR40AEEot:cc/R+U23vtlPR0pN

Score
8/10
bootkitdiscoverypersistencespywarestealerupx

Malware Config

Signatures

  • Blocklisted process makes network request 9 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&c:\gnhak.exe "C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2976
      • \??\c:\gnhak.exe
        c:\gnhak.exe "C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2784
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\ccille\jfxya.dll",init c:\gnhak.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\gnhak.exe
    Filesize

    81KB

    MD5

    52afb07bde63f656d1ba09d909384dc9

    SHA1

    b389fd27e49759a7cae501f960db2621ed25917c

    SHA256

    d227be1e054b8798726911623dc08f3440ce9a421b6b447330648c861ec16ec1

    SHA512

    34af19f79cbc13f6533ca13a7efbf3ffbbfe9e95d3c9fd9ea4b47955fe82493f5e052aee62ec6bab7a0a38a361200d5a2d00442c4ed6f5e73ac6a2cab48386c7

    Download Submit

  • \ccille\jfxya.dll
    Filesize

    46KB

    MD5

    42fe886bcb6460f7c2a46e21ecac5da6

    SHA1

    7d9a1c9fe17121cf61444da965f29e974a95ede2

    SHA256

    b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e

    SHA512

    3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

    Download Submit

  • memory/1960-0-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1960-1-0x0000000000280000-0x0000000000282000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1960-3-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2208-7-0x0000000000180000-0x0000000000197000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2208-6-0x0000000000180000-0x0000000000197000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2784-8-0x0000000000380000-0x0000000000382000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2784-11-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3032-18-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-14-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-19-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-23-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-24-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-25-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-27-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download