Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/08/2024, 01:52

General

  • Target

    PermSpoofer.exe

  • Size

    669KB

  • MD5

    8eb70959830bbe2a7d2fff2d1a361a8f

  • SHA1

    09f115500da658766c31588c0beaa9b96b99f645

  • SHA256

    b44edf50616943f8a2b94e5ca860ccf5f628db03c2bd0e3bec341539f1bbe0ca

  • SHA512

    872838a53c90ccf2fbfd2b1429ed0a8066dfc5fe761a44ba0647ecbcced8ca9fe7f1620f9fede0bafcdadc7d6ec05e4146121f76a5882b830cbe1ef4ef08f78d

  • SSDEEP

    12288:uL9TxTU252j76IdIEjmo1LtnMqE51S9VWqjD:CTUq2vOEjmohtMqy9sD

Malware Config

Signatures

  • Downloads MZ/PE file
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:164
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\PermSpoofer.exe" MD5
        3⤵
        • Loads dropped DLL
        PID:216
      • C:\Windows\system32\find.exe
        find /i /v "md5"
        3⤵
          PID:3212
        • C:\Windows\system32\find.exe
          find /i /v "certutil"
          3⤵
            PID:4312

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\system32\Update.dll

        Filesize

        181KB

        MD5

        b4572dd19cea6ea0e5826ad50f17ef44

        SHA1

        56f3dd656a21bb4dfb6c2ff2dcd29d6ac3352de1

        SHA256

        904369c26f999c2d573dd38d9caec8f12717de9a21145475fed2a10d2a9b706a

        SHA512

        9d85eda5ed2ad78a83c1be41e1fef3976a8a711ec2eb65b618b75126c5fc0a6d8ea8b793d2cf7cf0fb96aad4bb791cb3f82bcecd9075619ef811d9846364d77d

      • C:\Windows\system32\libcurl.dll

        Filesize

        557KB

        MD5

        d38a9d652cccade6a55a7a596fe599fd

        SHA1

        7138eed6a42da921585acea27f5b3c6dc716537c

        SHA256

        c2ec5ee6d93d85e396c971d026731c354402be2029ac4f0deb2515dc2ae1c61b

        SHA512

        bce04101536a2c6c6945ec2206bcc9974ee75bd34c554fbe0a2ff6d49e2807894bb1b8d51a9a6c5dcb87103c9915c817791f0372a8063c6de94359f1e1851a41

      • \Windows\System32\zlib1.dll

        Filesize

        88KB

        MD5

        f647da5c0665cd44a85c2f2e06dad122

        SHA1

        b58626f113fa720e149ec0e0c8624597661ba77e

        SHA256

        3ffb0110c5a46fa372c025f7d5c393ad364feafe38aabd5e7f91fe64c0409dc0

        SHA512

        274e2d004248a39a4bc50641727652d283b6e618bf16a5bfd1ff73bdab2eb9dd92ef217a65ed451efcaf31ccf58054dc10c6a213f4287db16e25803ce3f97759