Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ed1f2ac1ad...bd.exe

windows7-x64

8

ed1f2ac1ad...bd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    128s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed1f2ac1ad6543e4bab63986269c5d9c7ac94ce676084064f44fcbcb97e716bd.exe

  • Size

    141KB

  • MD5

    681d4812e768ead9d82cd3f4f5e05190

  • SHA1

    a049b559e8e7a09126fe07bab743c6e9cab6e86b

  • SHA256

    ed1f2ac1ad6543e4bab63986269c5d9c7ac94ce676084064f44fcbcb97e716bd

  • SHA512

    8032b1d78e05ba1e3efd55ccbe7beb68817a272a6546ec1be5eb210cc0806b02b13969717798291b06c50eaff08d2ad29321682300ab4d773b37cba8a50935e3

  • SSDEEP

    3072:OMDGOI4lS9I2MD9BxjtzPWtTVzCGDcaN9dGku6V:XDoT9IPxpPcVzCGDcajdnu6V

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed1f2ac1ad6543e4bab63986269c5d9c7ac94ce676084064f44fcbcb97e716bd.exe
    "C:\Users\Admin\AppData\Local\Temp\ed1f2ac1ad6543e4bab63986269c5d9c7ac94ce676084064f44fcbcb97e716bd.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\pclt32.exe
      C:\Windows\system32\pclt32.exe -d "C:\Users\Admin\AppData\Local\Temp\ed1f2ac1ad6543e4bab63986269c5d9c7ac94ce676084064f44fcbcb97e716bd.exe"
      2⤵
      • Executes dropped EXE
      PID:460
  • C:\Windows\SysWOW64\pclt32.exe
    C:\Windows\SysWOW64\pclt32.exe -v
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\pclt32.exe
    Filesize

    141KB

    MD5

    5141d56457d0bc4d825ef30fffefa355

    SHA1

    93fa419376401eb25686a4912b3aa24ec2deae65

    SHA256

    daf01a03542764e420bde5636b7f7f4494849f3233f87ad1e27114a36cc9e681

    SHA512

    6d4308037b5f54c9462289dfe17c43e88b30458a454280f03d29a3c1f6a60cc927930826975c0bc09d056339e90cbe588bc080b0c46ab244dba2d471efc5b09d

    Download Submit

  • C:\Windows\SysWOW64\pclt32.exe
    Filesize

    141KB

    MD5

    5141d56457d0bc4d825ef30fffefa355

    SHA1

    93fa419376401eb25686a4912b3aa24ec2deae65

    SHA256

    daf01a03542764e420bde5636b7f7f4494849f3233f87ad1e27114a36cc9e681

    SHA512

    6d4308037b5f54c9462289dfe17c43e88b30458a454280f03d29a3c1f6a60cc927930826975c0bc09d056339e90cbe588bc080b0c46ab244dba2d471efc5b09d

    Download Submit

  • C:\Windows\SysWOW64\pclt32.exe
    Filesize

    141KB

    MD5

    5141d56457d0bc4d825ef30fffefa355

    SHA1

    93fa419376401eb25686a4912b3aa24ec2deae65

    SHA256

    daf01a03542764e420bde5636b7f7f4494849f3233f87ad1e27114a36cc9e681

    SHA512

    6d4308037b5f54c9462289dfe17c43e88b30458a454280f03d29a3c1f6a60cc927930826975c0bc09d056339e90cbe588bc080b0c46ab244dba2d471efc5b09d

    Download Submit