Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12/08/2024, 01:52
Static task
static1
Behavioral task
behavioral1
Sample
PermSpoofer.exe
Resource
win10-20240404-en
General
-
Target
PermSpoofer.exe
-
Size
669KB
-
MD5
8eb70959830bbe2a7d2fff2d1a361a8f
-
SHA1
09f115500da658766c31588c0beaa9b96b99f645
-
SHA256
b44edf50616943f8a2b94e5ca860ccf5f628db03c2bd0e3bec341539f1bbe0ca
-
SHA512
872838a53c90ccf2fbfd2b1429ed0a8066dfc5fe761a44ba0647ecbcced8ca9fe7f1620f9fede0bafcdadc7d6ec05e4146121f76a5882b830cbe1ef4ef08f78d
-
SSDEEP
12288:uL9TxTU252j76IdIEjmo1LtnMqE51S9VWqjD:CTUq2vOEjmohtMqy9sD
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL 3 IoCs
pid Process 216 certutil.exe 216 certutil.exe 216 certutil.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\System32\zlib1.dll PermSpoofer.exe File created C:\Windows\System32\Update.dll PermSpoofer.exe File created C:\Windows\System32\libcurl.dll PermSpoofer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2100 wrote to memory of 164 2100 PermSpoofer.exe 73 PID 2100 wrote to memory of 164 2100 PermSpoofer.exe 73 PID 164 wrote to memory of 216 164 cmd.exe 74 PID 164 wrote to memory of 216 164 cmd.exe 74 PID 164 wrote to memory of 3212 164 cmd.exe 75 PID 164 wrote to memory of 3212 164 cmd.exe 75 PID 164 wrote to memory of 4312 164 cmd.exe 76 PID 164 wrote to memory of 4312 164 cmd.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:164 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe" MD53⤵
- Loads dropped DLL
PID:216
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3212
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4312
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD5b4572dd19cea6ea0e5826ad50f17ef44
SHA156f3dd656a21bb4dfb6c2ff2dcd29d6ac3352de1
SHA256904369c26f999c2d573dd38d9caec8f12717de9a21145475fed2a10d2a9b706a
SHA5129d85eda5ed2ad78a83c1be41e1fef3976a8a711ec2eb65b618b75126c5fc0a6d8ea8b793d2cf7cf0fb96aad4bb791cb3f82bcecd9075619ef811d9846364d77d
-
Filesize
557KB
MD5d38a9d652cccade6a55a7a596fe599fd
SHA17138eed6a42da921585acea27f5b3c6dc716537c
SHA256c2ec5ee6d93d85e396c971d026731c354402be2029ac4f0deb2515dc2ae1c61b
SHA512bce04101536a2c6c6945ec2206bcc9974ee75bd34c554fbe0a2ff6d49e2807894bb1b8d51a9a6c5dcb87103c9915c817791f0372a8063c6de94359f1e1851a41
-
Filesize
88KB
MD5f647da5c0665cd44a85c2f2e06dad122
SHA1b58626f113fa720e149ec0e0c8624597661ba77e
SHA2563ffb0110c5a46fa372c025f7d5c393ad364feafe38aabd5e7f91fe64c0409dc0
SHA512274e2d004248a39a4bc50641727652d283b6e618bf16a5bfd1ff73bdab2eb9dd92ef217a65ed451efcaf31ccf58054dc10c6a213f4287db16e25803ce3f97759