Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d27d318e35...6b.exe

windows7_x64

10

d27d318e35...6b.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    25s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20/02/2022, 01:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe

  • Size

    203KB

  • MD5

    1204f4881b1b67007e74e3129ae74992

  • SHA1

    1a184b8e44c447140300946287300b8f382654ac

  • SHA256

    d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b

  • SHA512

    c87ef11347596e0969309568a92f138810eb13b46378ce5c2321597d2b006d65165d711ebb9a3372d3396c730ce7c552a0b54562e873ddba8513590316458e47

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:3368
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
      1⤵
        PID:3156
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2424
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
          1⤵
            PID:2340
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:2312
            • C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
              "C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe"
              1⤵
              • Checks computer location settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Users\Admin\AppData\Local\Temp\PYddFde.exe
                "C:\Users\Admin\AppData\Local\Temp\PYddFde.exe" 8 LAN
                2⤵
                • Executes dropped EXE
                PID:2576

            Network

              No results found
            • 72.21.81.240:80
              322 B
               7
            • 72.21.81.240:80
              322 B
               7
            • 72.21.81.240:80
              260 B
               5
            No results found

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2312-132-0x00007FF6E3240000-0x00007FF6E33B5000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2340-133-0x00007FF6E3240000-0x00007FF6E33B5000-memory.dmp

              Filesize

              1.5MB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.