Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5259774546...a7.exe

windows7-x64

7

5259774546...a7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    43s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 07:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe

  • Size

    104KB

  • MD5

    5d20dd711e0a19bdf3a18d900ffd7e00

  • SHA1

    89f9a72996a7b1dfabd025a91ed721d70ef1ee2c

  • SHA256

    52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7

  • SHA512

    bcfa842e1fa6089c023943a8cd262742748ff34064d07996b862dc45ff4068fed79bdd504650584aa45e4a3fafd480fe1694339156b7848b3bb6d43e966069c6

  • SSDEEP

    1536:nlxb38MhDn2fkNKnL6yId2xdMGfR9TQ2g8cifaxK2jd3psK/OV16PZdpM2KczgBW:YsNKnL6K7f3ixF2o9RH5BbtmHpfq

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe
    "C:\Users\Admin\AppData\Local\Temp\52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1564

Network

  • flag-us
    DNS
    domai.0xdns.com
    52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe
    Remote address:
    8.8.8.8:53
    Request
    domai.0xdns.com
    IN A
    Response
    domai.0xdns.com
    IN A
    192.46.212.8
  • 192.46.212.8:8080
    domai.0xdns.com
    52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe
    152 B
     3
  • 8.8.8.8:53
    domai.0xdns.com
    dns
    52597745467cbfa5dea28af4334512c154c9b82c858d79e6f6b39462486b22a7.exe
    61 B
     77 B
     1
    1

    DNS Request

    domai.0xdns.com

    DNS Response

    192.46.212.8

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1360-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.