Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d47004e4f5...cd.exe

windows7-x64

8

d47004e4f5...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cd.exe

  • Size

    371KB

  • MD5

    69ed86d737c968ec0e4ee64ba7a75a71

  • SHA1

    2494b2bb4a43d4def98e1ed9a6e6db9993f4b4fd

  • SHA256

    d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cd

  • SHA512

    e0f46f9f5975702196ffa228588e1c1672395b52d66cc225a518eb818c319e7e8051454697c864b81193f315bf8a9ca2492d2855e80f01eb03d2a1cf7412ea9e

  • SSDEEP

    3072:CnxwgxgfR/DVG7wBpEioiaIjdwjiSNjm52OcIJbwqORtH20KK3pb6bAY5gD:C+xDVG0BpNavjiSi5cItDORtWI6EYWD

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:752
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
            2⤵
              PID:1044
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:1748
              • C:\Windows\system32\sppsvc.exe
                C:\Windows\system32\sppsvc.exe
                2⤵
                  PID:308
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1124
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:864
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:300
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:868
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:844
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:800
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:664
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:588
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:420
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:380
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:372
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:488
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                          PID:1240
                                          • C:\Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cd.exe
                                            "C:\Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cd.exe"
                                            2⤵
                                            • Loads dropped DLL
                                            • Drops file in Program Files directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious behavior: MapViewOfSection
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of UnmapMainImage
                                            • Suspicious use of WriteProcessMemory
                                            PID:1256
                                            • C:\Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cdmgr.exe
                                              C:\Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cdmgr.exe
                                              3⤵
                                              • Executes dropped EXE
                                              • Drops file in Program Files directory
                                              • Suspicious use of UnmapMainImage
                                              PID:1356
                                        • C:\Windows\system32\Dwm.exe
                                          "C:\Windows\system32\Dwm.exe"
                                          1⤵
                                            PID:1184

                                          Network

                                          MITRE ATT&CK Matrix

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\PROGRAM FILES (X86)\MICROSOFT\WATERMARK.EXE
                                            Filesize

                                            371KB

                                            MD5

                                            69ed86d737c968ec0e4ee64ba7a75a71

                                            SHA1

                                            2494b2bb4a43d4def98e1ed9a6e6db9993f4b4fd

                                            SHA256

                                            d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cd

                                            SHA512

                                            e0f46f9f5975702196ffa228588e1c1672395b52d66cc225a518eb818c319e7e8051454697c864b81193f315bf8a9ca2492d2855e80f01eb03d2a1cf7412ea9e

                                            Download Submit

                                          • C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\D47004E4F5D5813BAC06884040A197181E9EF4B74230CEE62B9CCA89B2A766CDMGR.EXE
                                            Filesize

                                            184KB

                                            MD5

                                            64930a226f4fc588437bdbf865d63424

                                            SHA1

                                            cdad2ab884764afc2a726e7039ba830df02d5f7f

                                            SHA256

                                            c766fa6fdb64b5825f2d52a8b3608c4f52199da0bc027fe1706a108384c2129e

                                            SHA512

                                            4cdee867cc54f0780029fbe2f63d1ba8dd408b12a9031371fc02b5a3cec047f3c18a809fb7b0c0c3ec2f19bf67c3d8ff67f940371c1b2243ff99b729e03016b8

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cdmgr.exe
                                            Filesize

                                            184KB

                                            MD5

                                            64930a226f4fc588437bdbf865d63424

                                            SHA1

                                            cdad2ab884764afc2a726e7039ba830df02d5f7f

                                            SHA256

                                            c766fa6fdb64b5825f2d52a8b3608c4f52199da0bc027fe1706a108384c2129e

                                            SHA512

                                            4cdee867cc54f0780029fbe2f63d1ba8dd408b12a9031371fc02b5a3cec047f3c18a809fb7b0c0c3ec2f19bf67c3d8ff67f940371c1b2243ff99b729e03016b8

                                            Download Submit

                                          • \Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cdmgr.exe
                                            Filesize

                                            184KB

                                            MD5

                                            64930a226f4fc588437bdbf865d63424

                                            SHA1

                                            cdad2ab884764afc2a726e7039ba830df02d5f7f

                                            SHA256

                                            c766fa6fdb64b5825f2d52a8b3608c4f52199da0bc027fe1706a108384c2129e

                                            SHA512

                                            4cdee867cc54f0780029fbe2f63d1ba8dd408b12a9031371fc02b5a3cec047f3c18a809fb7b0c0c3ec2f19bf67c3d8ff67f940371c1b2243ff99b729e03016b8

                                            Download Submit

                                          • \Users\Admin\AppData\Local\Temp\d47004e4f5d5813bac06884040a197181e9ef4b74230cee62b9cca89b2a766cdmgr.exe
                                            Filesize

                                            184KB

                                            MD5

                                            64930a226f4fc588437bdbf865d63424

                                            SHA1

                                            cdad2ab884764afc2a726e7039ba830df02d5f7f

                                            SHA256

                                            c766fa6fdb64b5825f2d52a8b3608c4f52199da0bc027fe1706a108384c2129e

                                            SHA512

                                            4cdee867cc54f0780029fbe2f63d1ba8dd408b12a9031371fc02b5a3cec047f3c18a809fb7b0c0c3ec2f19bf67c3d8ff67f940371c1b2243ff99b729e03016b8

                                            Download Submit

                                          • memory/1256-62-0x0000000000400000-0x0000000000421000-memory.dmp

                                            Filesize

                                            132KB

                                            Download

                                          • memory/1256-64-0x0000000000400000-0x0000000000421000-memory.dmp

                                            Filesize

                                            132KB

                                            Download

                                          • memory/1256-69-0x0000000000400000-0x0000000000421000-memory.dmp

                                            Filesize

                                            132KB

                                            Download

                                          • memory/1356-68-0x0000000000400000-0x0000000000421000-memory.dmp

                                            Filesize

                                            132KB

                                            Download

                                          • memory/1356-70-0x000000007EFA0000-0x000000007EFAA000-memory.dmp

                                            Filesize

                                            40KB

                                            Download