Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

39d48e5a8a...f0.exe

windows7-x64

8

39d48e5a8a...f0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2022, 16:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39d48e5a8ae2b2f1190e468bb053c041f24a28b4de5980d5b75b5ee6605bb9f0.exe

  • Size

    1.9MB

  • MD5

    1dff19bfaffd13c6d5314f89cda3d9ec

  • SHA1

    f22e3b69ec3d24205a50993316b0e21f2f2f2137

  • SHA256

    39d48e5a8ae2b2f1190e468bb053c041f24a28b4de5980d5b75b5ee6605bb9f0

  • SHA512

    5cd548e4bb345e7bfaaeba328448b4bcdc967ed79a3d54243b088f6327fb00b6c6a2ae2854bffcfd6750f6c808a86c94e13c491851918ea6f596460343af75ce

  • SSDEEP

    49152:4IxzLHIIaGZ+EJTkQiona2Lxxa5+lCWjOkr3V47UuWKkAzT:OIaW+YTkQiona2LbplCWjBl4IuWKkAP

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39d48e5a8ae2b2f1190e468bb053c041f24a28b4de5980d5b75b5ee6605bb9f0.exe
    "C:\Users\Admin\AppData\Local\Temp\39d48e5a8ae2b2f1190e468bb053c041f24a28b4de5980d5b75b5ee6605bb9f0.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2984
  • C:\Windows\SysWOW64\pptpudf.exe
    C:\Windows\SysWOW64\pptpudf.exe 510
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4796

Network

  • flag-us
    DNS
    96.108.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.108.152.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    106.89.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    106.89.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 20.52.64.200:443
    322 B
     7
  • 5.45.66.134:21
    39d48e5a8ae2b2f1190e468bb053c041f24a28b4de5980d5b75b5ee6605bb9f0.exe
    260 B
     200 B
     5
    5
  • 8.8.8.8:53
    96.108.152.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    96.108.152.52.in-addr.arpa

  • 8.8.8.8:53
    106.89.54.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    106.89.54.20.in-addr.arpa

  • 8.8.8.8:53
    6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\pptpudf.exe
    Filesize

    1.9MB

    MD5

    6dee56b85e8d91a2eb1c28fdab238dad

    SHA1

    cf81cf50f174010442504bc04341c223f7a4161d

    SHA256

    20fe9f09effeb4d07c8403293157eb1a2ca3fb78226d958715605cb8fcf45d41

    SHA512

    7b3dd2a0adbddda1eae3f9ac0118d6afcf64e055d9ed97c63e207a88eb6aecdcff6e65e42132a172872f2a30e232576e09acdb5b50bcee8dcc9dff8a3eaf5bc6

    Download Submit

  • C:\Windows\SysWOW64\pptpudf.exe
    Filesize

    1.9MB

    MD5

    6dee56b85e8d91a2eb1c28fdab238dad

    SHA1

    cf81cf50f174010442504bc04341c223f7a4161d

    SHA256

    20fe9f09effeb4d07c8403293157eb1a2ca3fb78226d958715605cb8fcf45d41

    SHA512

    7b3dd2a0adbddda1eae3f9ac0118d6afcf64e055d9ed97c63e207a88eb6aecdcff6e65e42132a172872f2a30e232576e09acdb5b50bcee8dcc9dff8a3eaf5bc6

    Download Submit

  • memory/2984-132-0x0000000000400000-0x000000000058D000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4796-135-0x0000000000400000-0x000000000058D000-memory.dmp

    Filesize

    1.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.