Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ae41a9adc8...d7.exe

windows7-x64

10

ae41a9adc8...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    123s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7.exe

  • Size

    346KB

  • MD5

    388ae8001c7019b2e3f5401ce1e820f5

  • SHA1

    2141fd73c2adfc36d438a943e4dbc3e13e453884

  • SHA256

    ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

  • SHA512

    18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

  • SSDEEP

    3072:GR2xn3k0CdM1vabyzJYWqO5z4EwevAHjmVep+23FlJ4+:GR2J0LS6VCz4ElAH5LRn

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 9 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7.exe
    "C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
      C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      PID:4592
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:212
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1392
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 208
                6⤵
                • Program crash
                PID:4620
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4424
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4792
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:376
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:4488
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 204
              4⤵
              • Program crash
              PID:4576
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4184
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4184 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3980
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2400
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
        1⤵
          PID:2200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1392 -ip 1392
          1⤵
            PID:4972

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            Filesize

            346KB

            MD5

            388ae8001c7019b2e3f5401ce1e820f5

            SHA1

            2141fd73c2adfc36d438a943e4dbc3e13e453884

            SHA256

            ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

            SHA512

            18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

            Download Submit

          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            Filesize

            346KB

            MD5

            388ae8001c7019b2e3f5401ce1e820f5

            SHA1

            2141fd73c2adfc36d438a943e4dbc3e13e453884

            SHA256

            ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

            SHA512

            18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

            Download Submit

          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            Filesize

            346KB

            MD5

            388ae8001c7019b2e3f5401ce1e820f5

            SHA1

            2141fd73c2adfc36d438a943e4dbc3e13e453884

            SHA256

            ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

            SHA512

            18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

            Download Submit

          • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
            Filesize

            172KB

            MD5

            f57abd3a76079ed9ba085bf71acf6cd3

            SHA1

            018c940fdb62a466a5ada1338149bb7621ad8682

            SHA256

            98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

            SHA512

            cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

            Download Submit

          • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
            Filesize

            172KB

            MD5

            f57abd3a76079ed9ba085bf71acf6cd3

            SHA1

            018c940fdb62a466a5ada1338149bb7621ad8682

            SHA256

            98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

            SHA512

            cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            046bedf3b97e782edc5343dc24a1c485

            SHA1

            ebad04906d01fdb00719463e729f201a043433ae

            SHA256

            4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

            SHA512

            18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            046bedf3b97e782edc5343dc24a1c485

            SHA1

            ebad04906d01fdb00719463e729f201a043433ae

            SHA256

            4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

            SHA512

            18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            046bedf3b97e782edc5343dc24a1c485

            SHA1

            ebad04906d01fdb00719463e729f201a043433ae

            SHA256

            4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

            SHA512

            18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            566c37d8faf7e1a156d703d6cf5094b1

            SHA1

            a483d13406588251a462b312ce5ee62014c37ad6

            SHA256

            ce77187b2b83f73d727220a083d1c522228c60dc6f6b6d2eecea916904f718ed

            SHA512

            a82572f460de3b0764e79bfddcb7de82b6dee07b743781ff28dd44cd6e9248eb53e5a2df70ce3a502c171aae5a1740d17ce0f89ed8eb2109aefa30a5d3973e49

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            6d3fb0b64e0573470c0332abe612896d

            SHA1

            b133d50622abfec2b12f4db02085afe516ba707f

            SHA256

            f7da2f261e77e1bc774c794aa49483c1a58a3e967d02a5e1c5a18c7b47ffd55a

            SHA512

            eda463d4b53e993a114b64fe1c2b7317e3537c266c26e32701757525659441acdc04ff01585356c2cd06b9d2999d28c41e6b18825304800fa5ec9031ffdbadaf

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            4d8e232adf3626942a487ef4ca3f272a

            SHA1

            b511bc047c93c032f1119b26fbd514542a61f284

            SHA256

            06ae14aee003c65261bf8552e14cf139230a55e7d06f91e2fa3ccd8e2d1e0fa2

            SHA512

            4fc504c73500b8e6216b35df64a928a9c3d092b98f1e324db714bf7b59520ef3162daa6d9557b8cf8ee1223f04c9f96e1f5a3c842e4f22c69648337a8ca1cd74

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F529F13-439B-11ED-AECB-7ED4F7B3352B}.dat
            Filesize

            3KB

            MD5

            5edb4adebff748405299dc7f2e7298f9

            SHA1

            0d1282f8103d9e2e30fdc5a90a50ed5a3c44c77b

            SHA256

            19e012d48e1ca526273024fc0ce63fe73c17cb776803cab15402ca613b8bfcfa

            SHA512

            faabf4b4dea0c0d4a0893e033dd1a8b3cde6a08c51fc8e4768ec12c0810055b9e1e4a5e75f4e8f7ac6613645512e131fe7b9e1e5b2a738cfe32f82d8f59382a2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F529F13-439B-11ED-AECB-7ED4F7B3352B}.dat
            Filesize

            5KB

            MD5

            0225aef715b3ce76659b1bed58fe0c01

            SHA1

            7f1811f8d35ec81e262816a6dbac7a2cdf4e62ae

            SHA256

            ac246c6c3f0d3231ce6496646596103dda56254924bc403757b1f77aadc5bc47

            SHA512

            ff45ed7293fa7f74eae4ee5091a9d202afef0ca7a1ebbc541af3b7034c3c9532ed1e2ec275a59c482c6eb9fd931ee4e29036f0fa81cb57b6ee2ac8d5d6071c99

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F52ED33-439B-11ED-AECB-7ED4F7B3352B}.dat
            Filesize

            3KB

            MD5

            7b1cc3e8b4fc4545523a011087a02c11

            SHA1

            756092ede8794f42d723342a393da608637b4771

            SHA256

            3899cd259c64292182961d4c70f384de81bb9b519ad1f290f0c105257d7ec48a

            SHA512

            fe612e9f2adec380e3bc542e436969be751f385e512e3b8bb4e22bb0a3e4db32698c750f229398b0e1081c3da325ed4c6798288076149310b94791c06761f642

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
            Filesize

            172KB

            MD5

            f57abd3a76079ed9ba085bf71acf6cd3

            SHA1

            018c940fdb62a466a5ada1338149bb7621ad8682

            SHA256

            98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

            SHA512

            cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
            Filesize

            172KB

            MD5

            f57abd3a76079ed9ba085bf71acf6cd3

            SHA1

            018c940fdb62a466a5ada1338149bb7621ad8682

            SHA256

            98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

            SHA512

            cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

            Download Submit

          • memory/212-182-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/212-190-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/212-192-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/212-191-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/212-189-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/212-185-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/212-184-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/212-183-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-187-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-186-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-180-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-181-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-179-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-178-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/1336-188-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/3696-175-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4592-149-0x0000000000400000-0x000000000044E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/4592-177-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4592-147-0x0000000000400000-0x000000000044E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/4592-145-0x0000000000400000-0x000000000044E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/4592-143-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4592-136-0x0000000000400000-0x000000000044E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/4996-174-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4996-150-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/4996-132-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/4996-148-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/4996-146-0x0000000000400000-0x000000000047A000-memory.dmp

            Filesize

            488KB

            Download

          • memory/4996-141-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download