Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

nvkFix/Con...gs.vbs

windows10-1703-x64

3

nvkFix/Con...ol.exe

windows10-1703-x64

10

nvkFix/FIX.bat

windows10-1703-x64

9

nvkFix/WUB...64.exe

windows10-1703-x64

3

Analysis

  • max time kernel
    110s
  • max time network
    83s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/08/2024, 15:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nvkFix/Control Defender/dControl.exe

  • Size

    447KB

  • MD5

    58008524a6473bdf86c1040a9a9e39c3

  • SHA1

    cb704d2e8df80fd3500a5b817966dc262d80ddb8

  • SHA256

    1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

  • SHA512

    8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

  • SSDEEP

    6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Security services 2 TTPs 3 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.exe
        "C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.exe" /TI
        3⤵
        • Modifies security service
        • Event Triggered Execution: Image File Execution Options Injection
        • Windows security modification
        • Modifies Security services
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:896
  • \??\c:\windows\system32\gpscript.exe
    gpscript.exe /RefreshSystemParam
    1⤵
      PID:1760
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
      1⤵
        PID:3164
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:1504
        • \??\c:\windows\system32\gpscript.exe
          gpscript.exe /RefreshSystemParam
          1⤵
            PID:2196

          Network

          • flag-us
            DNS
            29.243.111.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            29.243.111.52.in-addr.arpa
            IN PTR
            Response
          No results found
          • 8.8.8.8:53
            29.243.111.52.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            29.243.111.52.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nvkFix\Control Defender\dControl.ini
            Filesize

            2KB

            MD5

            77bd39397b10a376faca17d5301ecabd

            SHA1

            d9d9570513c8b42897d2e3f0cb16fecc64146b61

            SHA256

            100aa74284b87483b5788ba61a1eaada15f04a16364373bf278af7e9ca471845

            SHA512

            a87fc1cdb1496377b0682f40ee4fcc19bea4971895de263c579a3b535f21c643ffadce5852e5177fff3210413aad65a79ade0920615691d838f4ba30cff1d5ae

            Download Submit

          • C:\Windows\System32\GroupPolicy\gpt.ini
            Filesize

            233B

            MD5

            cd4326a6fd01cd3ca77cfd8d0f53821b

            SHA1

            a1030414d1f8e5d5a6e89d5a309921b8920856f9

            SHA256

            1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

            SHA512

            29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

            Download Submit

          • C:\Windows\Temp\1b0g3e2k.tmp
            Filesize

            37KB

            MD5

            3bc9acd9c4b8384fb7ce6c08db87df6d

            SHA1

            936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

            SHA256

            a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

            SHA512

            f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

            Download Submit

          • C:\Windows\Temp\6qkb8g9e.tmp
            Filesize

            37KB

            MD5

            e00dcc76e4dcd90994587375125de04b

            SHA1

            6677d2d6bd096ec1c0a12349540b636088da0e34

            SHA256

            c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447

            SHA512

            8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8

            Download Submit

          • C:\Windows\Temp\aut639C.tmp
            Filesize

            14KB

            MD5

            9d5a0ef18cc4bb492930582064c5330f

            SHA1

            2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

            SHA256

            8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

            SHA512

            1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

            Download Submit

          • C:\Windows\Temp\aut63AC.tmp
            Filesize

            12KB

            MD5

            efe44d9f6e4426a05e39f99ad407d3e7

            SHA1

            637c531222ee6a56780a7fdcd2b5078467b6e036

            SHA256

            5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

            SHA512

            8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

            Download Submit

          • C:\Windows\Temp\aut63AD.tmp
            Filesize

            7KB

            MD5

            ecffd3e81c5f2e3c62bcdc122442b5f2

            SHA1

            d41567acbbb0107361c6ee1715fe41b416663f40

            SHA256

            9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

            SHA512

            7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

            Download Submit

          • memory/896-95-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-126-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-94-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-129-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-128-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-120-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-122-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-123-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-124-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-125-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/896-127-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/1032-44-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/3800-22-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/3800-0-0x0000000000400000-0x00000000004CD000-memory.dmp

            Filesize

            820KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.