Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 01:55

General

  • Target

    Mw3Chair.exe

  • Size

    93.8MB

  • MD5

    2dfdda495ef398f421af9821ec5bd6fb

  • SHA1

    7bc7a0716e47064842c2616a2fe1a5a6c4ebaf24

  • SHA256

    f77744f36fab5f4abb3ae0cf2bfade543ec90472bcdef6508bddf38493fa6873

  • SHA512

    1c2af9e84ef2cbe0949e02e3e62cb0a178c53e05260ba0887888e7ff78adcc13d60f0ac4b444a1d3733ef462249b96be17c04d211c08e5dcbd6d42fd5673e508

  • SSDEEP

    1572864:509tMO8gn6D68Uzusf2nhqQVGNgV2UIsVHBfgxXW5snXOyi4oLmm0GTjuME7:pTgOizfeR6gV2Vy4xXW5sXOPAxMjuMW

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe
    "C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\rr.exe
      "C:\Users\Admin\AppData\Roaming\rr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
      • C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
        C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2880
    • C:\Users\Admin\AppData\Roaming\CORTEX.exe
      "C:\Users\Admin\AppData\Roaming\CORTEX.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c Color 4
        3⤵
          PID:2584
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2404
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:764
        • C:\Windows\system32\cmd.exe
          cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Windows\system32\sc.exe
            sc stop HTTPDebuggerPro
            4⤵
            • Launches sc.exe
            PID:2360
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\system32\taskkill.exe
            taskkill /IM HTTPDebuggerSvc.exe /F
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
        • C:\Windows\system32\cmd.exe
          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
          3⤵
            PID:1776
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD5
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD5
              4⤵
                PID:2928
            • C:\Windows\system32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
              3⤵
                PID:2760
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2888
              • C:\Windows\system32\cmd.exe
                cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                3⤵
                  PID:2836
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                    4⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:484
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                  3⤵
                    PID:2752
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2900
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                    3⤵
                      PID:2872
                      • C:\Windows\system32\sc.exe
                        sc stop HTTPDebuggerPro
                        4⤵
                        • Launches sc.exe
                        PID:2028
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                      3⤵
                        PID:2948
                        • C:\Windows\system32\taskkill.exe
                          taskkill /IM HTTPDebuggerSvc.exe /F
                          4⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2764
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                        3⤵
                          PID:2964
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                          3⤵
                            PID:584
                            • C:\Windows\system32\taskkill.exe
                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2496
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                            3⤵
                              PID:980
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                4⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1624
                            • C:\Windows\system32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                              3⤵
                                PID:984
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2168
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                3⤵
                                  PID:3052
                                  • C:\Windows\system32\sc.exe
                                    sc stop HTTPDebuggerPro
                                    4⤵
                                    • Launches sc.exe
                                    PID:2844
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                  3⤵
                                    PID:2248
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2772
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                    3⤵
                                      PID:2476
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                      3⤵
                                        PID:1008
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:108
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                        3⤵
                                          PID:1576
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                            4⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1764
                                        • C:\Windows\system32\cmd.exe
                                          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          3⤵
                                            PID:560
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2804
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                            3⤵
                                              PID:1640
                                              • C:\Windows\system32\sc.exe
                                                sc stop HTTPDebuggerPro
                                                4⤵
                                                • Launches sc.exe
                                                PID:2344
                                            • C:\Windows\system32\cmd.exe
                                              cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                              3⤵
                                                PID:2288
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /IM HTTPDebuggerSvc.exe /F
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2728
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                3⤵
                                                  PID:1860

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\ffmpeg.dll

                                              Filesize

                                              2.8MB

                                              MD5

                                              cc00135fe47c2e1e3c2afdae364e343e

                                              SHA1

                                              b6f2edebeae328004537147e4743523f1eba88fe

                                              SHA256

                                              5dad57ea08d8af1e78889e7b9191a0d4cb55e6124a447a8ab352064ca20a200d

                                              SHA512

                                              cbd7392ffb932241eaa3d67e4df7e2fa1163529e46ecf7ed17eb80fe5f36895ed00b39feccbb9966cfaebafba83b576a4f9a17593bb2bb61d8df70703d90b35f

                                            • C:\Users\Admin\AppData\Local\Temp\nseF7F7.tmp\StdUtils.dll

                                              Filesize

                                              100KB

                                              MD5

                                              c6a6e03f77c313b267498515488c5740

                                              SHA1

                                              3d49fc2784b9450962ed6b82b46e9c3c957d7c15

                                              SHA256

                                              b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

                                              SHA512

                                              9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

                                            • C:\Users\Admin\AppData\Roaming\CORTEX.exe

                                              Filesize

                                              16.1MB

                                              MD5

                                              66d8819bc195304bf89ff06d186f7806

                                              SHA1

                                              ff1295cba9c2cd3ea0c0fcd1d55d2b8170deddfc

                                              SHA256

                                              13e4c83b9fb05b82bb26dd299d7c3fa38ac829b4d99b33f257a1f680f965938f

                                              SHA512

                                              a5dbf7be3d4cf5c13abf846554147f0bf32c4732b7ed81e9a415b37fc5f5abef97a01f61e744ca24394105451a9addffbd62338283feb9ca83e359728063591b

                                            • \Users\Admin\AppData\Local\Temp\nseF7F7.tmp\System.dll

                                              Filesize

                                              12KB

                                              MD5

                                              0d7ad4f45dc6f5aa87f606d0331c6901

                                              SHA1

                                              48df0911f0484cbe2a8cdd5362140b63c41ee457

                                              SHA256

                                              3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

                                              SHA512

                                              c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

                                            • \Users\Admin\AppData\Local\Temp\nseF7F7.tmp\nsis7z.dll

                                              Filesize

                                              424KB

                                              MD5

                                              80e44ce4895304c6a3a831310fbf8cd0

                                              SHA1

                                              36bd49ae21c460be5753a904b4501f1abca53508

                                              SHA256

                                              b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

                                              SHA512

                                              c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

                                            • memory/2172-0-0x000007FEF65E3000-0x000007FEF65E4000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2172-1-0x0000000000A90000-0x000000000685A000-memory.dmp

                                              Filesize

                                              93.8MB

                                            • memory/2732-31-0x000000013FC90000-0x0000000141791000-memory.dmp

                                              Filesize

                                              27.0MB

                                            • memory/2732-29-0x0000000077C60000-0x0000000077C62000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/2732-27-0x0000000077C60000-0x0000000077C62000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/2732-25-0x0000000077C60000-0x0000000077C62000-memory.dmp

                                              Filesize

                                              8KB