Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

345041b001...c7.exe

windows7_x64

10

345041b001...c7.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    129s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19/06/2022, 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    345041b00180bad7206359e55d8fb1da78eec16beca7370df1eef6cbe45b04c7.exe

  • Size

    1.1MB

  • MD5

    f1168458e9896689210ed1f3b1622a6c

  • SHA1

    13eb79d42211367ac3b2434110c48421b74546aa

  • SHA256

    345041b00180bad7206359e55d8fb1da78eec16beca7370df1eef6cbe45b04c7

  • SHA512

    da1f4139aa22521ae28332cf608412d7a6dda6a38d9119b963870f89500c1be659deab21b319303f6ed7438fcdc18e7cf0bf80f121591aa7ecb661710ed106f6

Score
9/10
collection

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\345041b00180bad7206359e55d8fb1da78eec16beca7370df1eef6cbe45b04c7.exe
    "C:\Users\Admin\AppData\Local\Temp\345041b00180bad7206359e55d8fb1da78eec16beca7370df1eef6cbe45b04c7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\inRFpfPsUl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A8A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1096
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp593C.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4256
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5D53.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:3144

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2A8A.tmp
    Filesize

    1KB

    MD5

    a6b27e11a1c475dbb44a8cc366d6d83d

    SHA1

    22b9e64b237a736c91e799377435b2a7cd5d0d62

    SHA256

    e5016a851c16fa9ad88052fb91b27aa9d41389b0d59f5adcd4828a5b00c4fc7c

    SHA512

    2462166799a4884a07f565493ccfcdd545a4b84c98d7b84fa0591bd335dc260f35b0a2a812f2408a7836f2638ba2d55b3a41adb8719ff56b8d146b42ede901cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp593C.tmp
    Filesize

    4KB

    MD5

    92b3d04dbcf7aa8eabb0096c55624068

    SHA1

    04a3b14a8f16bdd8a67f1b5d6be8c3db79c766c7

    SHA256

    84e388e2bbff6a229d99df8d7e0558e46e793106c2f3bb290c6acc06fe31fe9c

    SHA512

    fbd6a298b66e2117f68028cdf9fa1b3e441f87fa8a052ce1be628ae65116d5b2953cdc8117dce57e86475a75412b1a85f431eb0da6dd788ec5312d34ff71f9d1

    Download Submit

  • memory/3144-150-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3144-149-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3144-147-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4256-144-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4256-140-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4256-142-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4256-143-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4600-138-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4600-137-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5056-130-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5056-136-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5056-131-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

    Download