Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 05:07

General

  • Target

    710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

  • Size

    162KB

  • MD5

    7195d62842154220250c93867baf1bf5

  • SHA1

    bcf17349ecc4d06f38f07c9cc3eafd1303e6e523

  • SHA256

    710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff

  • SHA512

    c832e015e265367687b62e74bfab20ca9ea6dba939cee718e03c085c7a573e2b15d7e0f29949961ad2302be42c1aaf3cb47eb765b2963a373f3de33bf76fcb49

  • SSDEEP

    3072:iyH99g4byc6H5c6HcT66vlmm+6zMal04FpFOmal04F3uhUpjBTO+FueB5YJa+a:iyH7xOc6H5c6HcT66vlmuEPOtWYFa

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
    "C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
        "C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 888
          4⤵
          • Drops file in Windows directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:3892
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

    Filesize

    127KB

    MD5

    c835a420aa809c291ef1f6063fe98550

    SHA1

    2c3091affb6ba021964bc717b97dae0debe55194

    SHA256

    10e8b508abb60d04e16af96fb53f2e1b9f24913ecd0f5100b0f12717b301a7a5

    SHA512

    946fcb39882adbe370c34d342bd0fc77addc3ca0d5527788a1a6c6c15c374a59308de89f1596fb58498fff349ae030ecf5af14c15c2337f0acac52e93621abc0

  • C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

    Filesize

    127KB

    MD5

    c835a420aa809c291ef1f6063fe98550

    SHA1

    2c3091affb6ba021964bc717b97dae0debe55194

    SHA256

    10e8b508abb60d04e16af96fb53f2e1b9f24913ecd0f5100b0f12717b301a7a5

    SHA512

    946fcb39882adbe370c34d342bd0fc77addc3ca0d5527788a1a6c6c15c374a59308de89f1596fb58498fff349ae030ecf5af14c15c2337f0acac52e93621abc0

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • memory/5104-139-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB

  • memory/5104-141-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB