Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

9abedfec68...0N.exe

windows7-x64

8

9abedfec68...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 05:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9abedfec687db7a9273e5e9157af74e0N.exe

  • Size

    81KB

  • MD5

    9abedfec687db7a9273e5e9157af74e0

  • SHA1

    1d79bd8bef8703f1f3b3031d83cb50a23964133e

  • SHA256

    95ffed6888dde882a053f5498ad9d4f0feb1b49bfc22ce934c3c76593f1e514d

  • SHA512

    c9bb28a50aaecef0f2e010216591d9771a2c6689b6a8c40a43e7e52b2385961ab229e7eeda180411cde289dac83e69a77923f8c27a87b7af77319b140da71ceb

  • SSDEEP

    1536:6LxJJlguY/NbvWU2VkWlVvtlqDyKJR40AEEot:cc/R+U23vtlPR0pN

Score
8/10
bootkitdiscoverypersistencespywarestealerupx

Malware Config

Signatures

  • Blocklisted process makes network request 9 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&c:\gnhak.exe "C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2976
      • \??\c:\gnhak.exe
        c:\gnhak.exe "C:\Users\Admin\AppData\Local\Temp\9abedfec687db7a9273e5e9157af74e0N.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2784
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\ccille\jfxya.dll",init c:\gnhak.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3032

Network

    No results found
  • 67.198.215.212:803
    rundll32.exe
    152 B
     3
  • 67.198.215.212:803
    rundll32.exe
    152 B
     3
  • 67.198.215.213:3204
    rundll32.exe
    152 B
     3
  • 67.198.215.214:805
    rundll32.exe
    152 B
     3
  • 67.198.215.214:805
    rundll32.exe
    152 B
     3
  • 67.198.215.214:805
    rundll32.exe
    152 B
     3
  • 67.198.215.214:805
    rundll32.exe
    152 B
     3
  • 67.198.215.213:3204
    rundll32.exe
    152 B
     3
  • 67.198.215.213:3204
    rundll32.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\gnhak.exe
    Filesize

    81KB

    MD5

    52afb07bde63f656d1ba09d909384dc9

    SHA1

    b389fd27e49759a7cae501f960db2621ed25917c

    SHA256

    d227be1e054b8798726911623dc08f3440ce9a421b6b447330648c861ec16ec1

    SHA512

    34af19f79cbc13f6533ca13a7efbf3ffbbfe9e95d3c9fd9ea4b47955fe82493f5e052aee62ec6bab7a0a38a361200d5a2d00442c4ed6f5e73ac6a2cab48386c7

    Download Submit

  • \ccille\jfxya.dll
    Filesize

    46KB

    MD5

    42fe886bcb6460f7c2a46e21ecac5da6

    SHA1

    7d9a1c9fe17121cf61444da965f29e974a95ede2

    SHA256

    b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e

    SHA512

    3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

    Download Submit

  • memory/1960-0-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1960-1-0x0000000000280000-0x0000000000282000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1960-3-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2208-7-0x0000000000180000-0x0000000000197000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2208-6-0x0000000000180000-0x0000000000197000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2784-8-0x0000000000380000-0x0000000000382000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2784-11-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3032-18-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-14-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-19-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-23-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-24-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-25-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3032-27-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.