Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

23c0dc2bc0...1e.exe

windows7-x64

10

23c0dc2bc0...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 10:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e.exe

  • Size

    212KB

  • MD5

    4c378acf5c11a25c7c3377ada09fb2ac

  • SHA1

    842ab9bf9337e45a626e89674ee35602f7c063a1

  • SHA256

    23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e

  • SHA512

    c65b7eeb0c318e73ec0af83bfee6fb7be4c9115b739230417aec55e4a1cd4bd4dccb24790e8e6bfe4dda0de05d3235387380fdde71ddc1a8137370938a538f34

  • SSDEEP

    1536:wodH3UyOEGYf+u2wW4cd9Lv2PElgW7NoN274B/K51UtaHElfTczpqVar1/AgAIS:jUxS+Dzp+GNoN2I0jASrB

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e.exe
    "C:\Users\Admin\AppData\Local\Temp\23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\tlsib.exe
      "C:\Users\Admin\tlsib.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1276

Network

  • flag-us
    DNS
    ns1.musiczipz.com
    23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.musiczipz.com
    IN A
    Response
    ns1.musiczipz.com
    IN A
    81.17.18.197
  • 81.17.18.197:8000
    ns1.musiczipz.com
    23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e.exe
    152 B
     3
  • 8.8.8.8:53
    ns1.musiczipz.com
    dns
    23c0dc2bc05fea98d53a8abcece52f88d95273e068e733dc5a38cce47a8a4c1e.exe
    63 B
     79 B
     1
    1

    DNS Request

    ns1.musiczipz.com

    DNS Response

    81.17.18.197

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tlsib.exe
    Filesize

    212KB

    MD5

    04b3a4d0b3d7f975ca1e3f94161b1d21

    SHA1

    424710ef84f7f45de616e7db1093315a19c79e95

    SHA256

    793c5122068e55ac53ef7044c664328e687219764c28b57b90bd5bbf5b5728c9

    SHA512

    185fd1f493b5a9112a6c0d709d92b47510138f7f83feaf45e96ed179419bbdb10e359275424c81f248ac4827029c0d6723b87824b95b26155197be4bbf1922bf

    Download Submit

  • C:\Users\Admin\tlsib.exe
    Filesize

    212KB

    MD5

    04b3a4d0b3d7f975ca1e3f94161b1d21

    SHA1

    424710ef84f7f45de616e7db1093315a19c79e95

    SHA256

    793c5122068e55ac53ef7044c664328e687219764c28b57b90bd5bbf5b5728c9

    SHA512

    185fd1f493b5a9112a6c0d709d92b47510138f7f83feaf45e96ed179419bbdb10e359275424c81f248ac4827029c0d6723b87824b95b26155197be4bbf1922bf

    Download Submit

  • \Users\Admin\tlsib.exe
    Filesize

    212KB

    MD5

    04b3a4d0b3d7f975ca1e3f94161b1d21

    SHA1

    424710ef84f7f45de616e7db1093315a19c79e95

    SHA256

    793c5122068e55ac53ef7044c664328e687219764c28b57b90bd5bbf5b5728c9

    SHA512

    185fd1f493b5a9112a6c0d709d92b47510138f7f83feaf45e96ed179419bbdb10e359275424c81f248ac4827029c0d6723b87824b95b26155197be4bbf1922bf

    Download Submit

  • \Users\Admin\tlsib.exe
    Filesize

    212KB

    MD5

    04b3a4d0b3d7f975ca1e3f94161b1d21

    SHA1

    424710ef84f7f45de616e7db1093315a19c79e95

    SHA256

    793c5122068e55ac53ef7044c664328e687219764c28b57b90bd5bbf5b5728c9

    SHA512

    185fd1f493b5a9112a6c0d709d92b47510138f7f83feaf45e96ed179419bbdb10e359275424c81f248ac4827029c0d6723b87824b95b26155197be4bbf1922bf

    Download Submit

  • memory/1276-67-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1276-71-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1324-56-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1324-57-0x00000000752B1000-0x00000000752B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1324-65-0x0000000002E20000-0x0000000002E66000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1324-66-0x0000000002E20000-0x0000000002E66000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1324-69-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1324-70-0x0000000002E20000-0x0000000002E66000-memory.dmp

    Filesize

    280KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.