Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

819b421a8a...32.exe

windows7-x64

10

819b421a8a...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    819b421a8a091a0188468672824fe5383be7ef8f4336b0a92916ca7a129adb32.exe

  • Size

    230KB

  • MD5

    65c87fa0b7c308fff3e155b328b1690a

  • SHA1

    4e84175dd432f24a9ed67cdd0a3ddf6612d96394

  • SHA256

    819b421a8a091a0188468672824fe5383be7ef8f4336b0a92916ca7a129adb32

  • SHA512

    a4647eff5f43f0d1f0955f12fa0e3bd5c61f5cfb510e0e2c886392564c24811871838236bb28e85d6d4bd6026e1f350e7bc987f57677140716ecde1049ab05a1

  • SSDEEP

    3072:TIMa5VPdnLAWeBIg5Si2mVvu3TRENKWH3xPALAiyEv7p5qyt/s7niwK/f+JuKtkk:GDAWw5NV4EBXWAIT/nw08xTm3E

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\819b421a8a091a0188468672824fe5383be7ef8f4336b0a92916ca7a129adb32.exe
    "C:\Users\Admin\AppData\Local\Temp\819b421a8a091a0188468672824fe5383be7ef8f4336b0a92916ca7a129adb32.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:2064

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    230KB

    MD5

    c77872c57177a1263d0c8d4f5d57fded

    SHA1

    e9dcfc409ab85299f10dd2f1fd3fd298511ba7ed

    SHA256

    a289538df3531740a97a663b65481d4e7b4d5a4baaba399ef4cb3c53cbc30ccb

    SHA512

    6b402fc35e46c307d1b75b83d783c491d699a78d62dbf5065b8c3466d698a9395a21bd052b1316e5476687c7ab8d6ccba5d27de07c94ea3f3bb2bf59221979b2

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    230KB

    MD5

    c77872c57177a1263d0c8d4f5d57fded

    SHA1

    e9dcfc409ab85299f10dd2f1fd3fd298511ba7ed

    SHA256

    a289538df3531740a97a663b65481d4e7b4d5a4baaba399ef4cb3c53cbc30ccb

    SHA512

    6b402fc35e46c307d1b75b83d783c491d699a78d62dbf5065b8c3466d698a9395a21bd052b1316e5476687c7ab8d6ccba5d27de07c94ea3f3bb2bf59221979b2

    Download Submit

  • memory/1488-132-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/1488-133-0x0000000002280000-0x00000000022D1000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1488-134-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/1488-139-0x0000000002280000-0x00000000022D1000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1488-140-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/2064-138-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/2064-141-0x0000000000400000-0x00000000004FD000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/2064-142-0x0000000002E00000-0x0000000002EA8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2064-143-0x0000000002FB0000-0x0000000003066000-memory.dmp

    Filesize

    728KB

    Download