Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

2ea886dad1...f5.exe

windows7-x64

8

2ea886dad1...f5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe

  • Size

    97KB

  • MD5

    60bb7ba0b162e56e1aa921c5f153db10

  • SHA1

    0f73228e1743528c830806716ed8efb9f706a4ab

  • SHA256

    2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5

  • SHA512

    2b7b920c13ae133c72094ffea22f496ecc775520fbbef96b3051faed8f702e5120117f76aeaff02db96a38860328a300799dc2a37dbd893288ac27ebb38e97cd

  • SSDEEP

    3072:SYL6Ya2MPk+PIoGuNxwQeRqhJ04aMuzE1vDgyjOkVo:SYeYhMxIoGuW+0H5Y502x2

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe
    "C:\Users\Admin\AppData\Local\Temp\2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4200
  • C:\Windows\Slave.exe
    C:\Windows\Slave.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Slave.exe
    Filesize

    97KB

    MD5

    60bb7ba0b162e56e1aa921c5f153db10

    SHA1

    0f73228e1743528c830806716ed8efb9f706a4ab

    SHA256

    2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5

    SHA512

    2b7b920c13ae133c72094ffea22f496ecc775520fbbef96b3051faed8f702e5120117f76aeaff02db96a38860328a300799dc2a37dbd893288ac27ebb38e97cd

    Download Submit

  • C:\Windows\Slave.exe
    Filesize

    97KB

    MD5

    60bb7ba0b162e56e1aa921c5f153db10

    SHA1

    0f73228e1743528c830806716ed8efb9f706a4ab

    SHA256

    2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5

    SHA512

    2b7b920c13ae133c72094ffea22f496ecc775520fbbef96b3051faed8f702e5120117f76aeaff02db96a38860328a300799dc2a37dbd893288ac27ebb38e97cd

    Download Submit

  • \??\c:\ra_slave.log
    Filesize

    371B

    MD5

    7f7c5462fca3eac462eabf19669fd7b5

    SHA1

    8381b18d1cfbf49a5e8c7e9499f9abc45f7e8311

    SHA256

    4148fc7b92e29a44f8c044460cbc4dda050844fb84b598b5f7e975e3ebc1a9a5

    SHA512

    5f7b9e07a3c2b6e0d8158fe6e7afa06eb523d038c78ae287987750d48610a3313c1902fa901fef76cb96d51067f298315dd0e8001be58e6c81ba74cbf8e27d48

    Download Submit

  • memory/4200-132-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4200-136-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4568-137-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4568-138-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download