Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

58b5c6c25f...9b.exe

windows7-x64

10

58b5c6c25f...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 13:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58b5c6c25f75e4fa1058eae2973b621a18969ee40badb4c2529cf88339a5da9b.exe

  • Size

    298KB

  • MD5

    13066e92e8a49557d4a31b2d99735ba2

  • SHA1

    9bbfb875199972c7aca96d01be629f38533b0657

  • SHA256

    58b5c6c25f75e4fa1058eae2973b621a18969ee40badb4c2529cf88339a5da9b

  • SHA512

    016b1b6b5dfbdaf166fbb9ea6802c44bf81f1f838ae0fb35150b073d023961e8bca1e81cfea42e20b6dbf292673e9b35b2b06d17fad4258ef0d1870153f8f09d

  • SSDEEP

    6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYw:v6Wq4aaE6KwyF5L0Y2D1PqLX

Score
10/10
evasionupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58b5c6c25f75e4fa1058eae2973b621a18969ee40badb4c2529cf88339a5da9b.exe
    "C:\Users\Admin\AppData\Local\Temp\58b5c6c25f75e4fa1058eae2973b621a18969ee40badb4c2529cf88339a5da9b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4740

Network

  • flag-us
    DNS
    97.97.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.97.242.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    176.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.122.125.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 209.197.3.8:80
    322 B
     7
  • 51.116.253.168:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 93.184.220.29:80
    322 B
     7
  • 93.184.220.29:80
    260 B
     5
  • 8.8.8.8:53
    97.97.242.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.97.242.52.in-addr.arpa

  • 8.8.8.8:53
    176.122.125.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    176.122.125.40.in-addr.arpa

  • 8.8.8.8:53
    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svhost.exe
    Filesize

    298KB

    MD5

    6d4a8d2ac9fdda5dfae30dc3fa4120bd

    SHA1

    293e2f276b2c6cbbd09a8841ecfd92411865008e

    SHA256

    ea2b8c4462a286bbebd84d69922fe0155c25ad97853daf7e89225542084b0855

    SHA512

    be50156125c1e272048d4eeb219b57eb78e758a5c0e69e4f1b637f1d85816d08e53c1e7f7605c62df482b1666e36e2cbcd6ab53b421f6075e2eda5f4c817da0c

    Download Submit

  • C:\Windows\svhost.exe
    Filesize

    298KB

    MD5

    6d4a8d2ac9fdda5dfae30dc3fa4120bd

    SHA1

    293e2f276b2c6cbbd09a8841ecfd92411865008e

    SHA256

    ea2b8c4462a286bbebd84d69922fe0155c25ad97853daf7e89225542084b0855

    SHA512

    be50156125c1e272048d4eeb219b57eb78e758a5c0e69e4f1b637f1d85816d08e53c1e7f7605c62df482b1666e36e2cbcd6ab53b421f6075e2eda5f4c817da0c

    Download Submit

  • memory/4668-132-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/4668-133-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/4668-138-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/4740-137-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.