Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

301a3f5017...le.exe

windows7_x64

10

301a3f5017...le.exe

windows10_x64

10

Resubmissions

23/03/2024, 23:50

240323-3vttmsed88 10

12/12/2020, 10:26

201212-wddwj75xse 10

Analysis

  • max time kernel
    66s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12/12/2020, 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe

  • Size

    413KB

  • MD5

    3023d7526b479ea3df315a5b1779a43d

  • SHA1

    b5ae71b96a28b9353a4f33c5370ac18750937c17

  • SHA256

    301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f

  • SHA512

    67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • ServiceHost packer 8 IoCs

    Detects ServiceHost packer used for .NET malware

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Windows\syswow64\svchost.exe
      C:\Windows\syswow64\svchost.exe
      2⤵
        PID:1996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 208
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
      • C:\Windows\syswow64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        2⤵
          PID:208
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 204
            3⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKeNIVpFABUmG.bat" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\SysWOW64\attrib.exe
            attrib -r -s -h 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
            3⤵
            • Views/modifies file attributes
            PID:1012

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/208-14-0x0000000000080000-0x000000000008C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/208-13-0x0000000000080000-0x000000000008C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/492-2-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1996-4-0x0000000000080000-0x000000000008C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1996-5-0x0000000000080000-0x000000000008C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2904-15-0x0000000005000000-0x0000000005001000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2904-20-0x0000000005630000-0x0000000005631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4040-6-0x00000000047A0000-0x00000000047A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4040-12-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

        Filesize

        4KB

        Download