Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

mpclient.exe

windows7-x64

5

mpclient.exe

windows10-2004-x64

5

Resubmissions

10/10/2024, 16:44

241010-t82a7s1dmq 7

10/10/2024, 16:43

241010-t8bqjs1djp 5

10/10/2024, 16:30

241010-tz1nbazhmp 5

Analysis

  • max time kernel
    300s
  • max time network
    297s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-ja
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-jalocale:ja-jpos:windows10-2004-x64systemwindows
  • submitted
    10/10/2024, 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mpclient.exe

  • Size

    186KB

  • MD5

    6bd4d7f68924301051c22e8a951aecba

  • SHA1

    2ae2a6b863616b61ccb550fc1a145ae025896de1

  • SHA256

    9afd12eede0db98a35aba52f53041efa4a2f2a03673672c7ac530830b7152392

  • SHA512

    ebf97dcc36413e9c05da1df9d296bd5226f2c5acc86f8592755f10454328ffa90dc9805825ede64f350fade5de9cef73d050aad569b733f914da6aa92740f708

  • SSDEEP

    3072:crWzrkggF1yGunZZwFrUhxDR1cAoPF+sq:uCzgF1enfwFrUk

Score
5/10
upx

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\system32\mpclient.exe
      C:\Windows\system32\mpclient.exe -svc
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2280
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\system32\dllhost.exe
        C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
  • C:\Users\Admin\AppData\Local\Temp\mpclient.exe
    "C:\Users\Admin\AppData\Local\Temp\mpclient.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -Install
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1424
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
      1⤵
        PID:1716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1200-44-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1200-32-0x0000025BC15E0000-0x0000025BC15E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-0-0x0000000000610000-0x0000000000611000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-1-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1780-6-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1780-4-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1780-7-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1780-8-0x00007FFA4EF10000-0x00007FFA4F105000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1780-5-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1780-19-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1780-18-0x00007FFA403B0000-0x00007FFA40512000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2280-30-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2280-31-0x00007FFA4EF10000-0x00007FFA4F105000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2280-35-0x00007FFA405E0000-0x00007FFA40742000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2280-36-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3396-16-0x00007FFA4EF10000-0x00007FFA4F105000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3396-17-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3396-9-0x00000264175C0000-0x00000264175C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3984-66-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3984-67-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3984-65-0x00007FFA4EF10000-0x00007FFA4F105000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4200-50-0x00007FFA4EF10000-0x00007FFA4F105000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4200-51-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4200-59-0x0000000180000000-0x0000000180066000-memory.dmp

        Filesize

        408KB

        Download