Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

4cd742ef52...29.exe

windows7-x64

10

4cd742ef52...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cd742ef523908c6494b3bfa503a3542b90ded8c8796eb3323faf42926e8c729.exe

  • Size

    484KB

  • MD5

    b5a956bc2eaaf2e93c1910a701f21dd1

  • SHA1

    6e39d033c0652151a7f00313580e8b1194d1be59

  • SHA256

    4cd742ef523908c6494b3bfa503a3542b90ded8c8796eb3323faf42926e8c729

  • SHA512

    5e3996b9c3e31a8b1735eacd6020629606915773af04e2cba6d70b1ed5f3f8489e1746cbf2882f24a645802a6a58ea5b320b8670538a1998a5bf083d357712ac

  • SSDEEP

    12288:moUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:w92ILECd0R15XZS3QafpDNUQ

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cd742ef523908c6494b3bfa503a3542b90ded8c8796eb3323faf42926e8c729.exe
    "C:\Users\Admin\AppData\Local\Temp\4cd742ef523908c6494b3bfa503a3542b90ded8c8796eb3323faf42926e8c729.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\LB9c4j3K.exe
      C:\Users\Admin\LB9c4j3K.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Users\Admin\siise.exe
        "C:\Users\Admin\siise.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3484
    • C:\Users\Admin\aahost.exe
      C:\Users\Admin\aahost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Users\Admin\aahost.exe
        "C:\Users\Admin\aahost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4700
    • C:\Users\Admin\bshost.exe
      C:\Users\Admin\bshost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:5084
      • C:\Users\Admin\dyhost.exe
        C:\Users\Admin\dyhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:492
      • C:\Users\Admin\ekhost.exe
        C:\Users\Admin\ekhost.exe
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 4cd742ef523908c6494b3bfa503a3542b90ded8c8796eb3323faf42926e8c729.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:448

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\LB9c4j3K.exe
      Filesize

      212KB

      MD5

      fa0eb2a8b561ea9afc6a51709ff0d7de

      SHA1

      4ef5265f5b5bb1a4857e7668f132405c799da155

      SHA256

      99ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f

      SHA512

      0e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6

      Download Submit

    • C:\Users\Admin\LB9c4j3K.exe
      Filesize

      212KB

      MD5

      fa0eb2a8b561ea9afc6a51709ff0d7de

      SHA1

      4ef5265f5b5bb1a4857e7668f132405c799da155

      SHA256

      99ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f

      SHA512

      0e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\bshost.exe
      Filesize

      260KB

      MD5

      bbc0a2fe1284778896b57ffc5701aefa

      SHA1

      6b9a0106b82c63265936ce728a858d258c8f6b14

      SHA256

      92fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0

      SHA512

      8a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930

      Download Submit

    • C:\Users\Admin\bshost.exe
      Filesize

      260KB

      MD5

      bbc0a2fe1284778896b57ffc5701aefa

      SHA1

      6b9a0106b82c63265936ce728a858d258c8f6b14

      SHA256

      92fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0

      SHA512

      8a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      48KB

      MD5

      d46eb4bf816ed9978636de7955245323

      SHA1

      c474df60a83302e0d010d11dcebd7cdb3cc22866

      SHA256

      2ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd

      SHA512

      e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      48KB

      MD5

      d46eb4bf816ed9978636de7955245323

      SHA1

      c474df60a83302e0d010d11dcebd7cdb3cc22866

      SHA256

      2ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd

      SHA512

      e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef

      Download Submit

    • C:\Users\Admin\ekhost.exe
      Filesize

      24KB

      MD5

      9fe0e5252dc24fc1788b0d8b26026807

      SHA1

      21e3063a0fac1157b9707861048c5f7fbd070ceb

      SHA256

      9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

      SHA512

      613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

      Download Submit

    • C:\Users\Admin\ekhost.exe
      Filesize

      24KB

      MD5

      9fe0e5252dc24fc1788b0d8b26026807

      SHA1

      21e3063a0fac1157b9707861048c5f7fbd070ceb

      SHA256

      9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

      SHA512

      613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

      Download Submit

    • C:\Users\Admin\siise.exe
      Filesize

      212KB

      MD5

      bc537b3c49ec174a6e689ecd49cd22c2

      SHA1

      fbcd05f75683a5338ba46511873c6a5cf3fd56a5

      SHA256

      5b70c493e6942daa536ab312180fbb2bdb927dc469dc6eaf69c06b16e6132d97

      SHA512

      71dec81088eba3843292580b588384f0fec1c8530cfad158b14c4e3f0cd89777f59172ac92cc7891651381afa382b1970933d33869921bb63234dbc59e51e77a

      Download Submit

    • C:\Users\Admin\siise.exe
      Filesize

      212KB

      MD5

      bc537b3c49ec174a6e689ecd49cd22c2

      SHA1

      fbcd05f75683a5338ba46511873c6a5cf3fd56a5

      SHA256

      5b70c493e6942daa536ab312180fbb2bdb927dc469dc6eaf69c06b16e6132d97

      SHA512

      71dec81088eba3843292580b588384f0fec1c8530cfad158b14c4e3f0cd89777f59172ac92cc7891651381afa382b1970933d33869921bb63234dbc59e51e77a

      Download Submit

    • memory/2512-164-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2512-162-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2512-163-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2512-165-0x0000000002090000-0x00000000020D4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2512-167-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4700-155-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4700-156-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4700-148-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4700-161-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download