Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3a5d3a1e64...eb.exe

windows7-x64

7

3a5d3a1e64...eb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    170s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe

  • Size

    322KB

  • MD5

    91f4c8526869f34f38b8eed628b557a1

  • SHA1

    5757818e4bbcce1a481c70f1370578f190b676cb

  • SHA256

    3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb

  • SHA512

    b141483fed0ba742a2778659a1f7f28d969014c4016524e4bb478964c73755de4ccbd8815eec725573ba6fc40164955c97a77e4ed6979532695fb6a6ad824e87

  • SSDEEP

    6144:ukuP43GMaCXZgY9jYYp5fp1VNB0acuz0dqy1jQS:ukuP43GCXdjjpBVNBVfzBy1sS

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2484
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3420
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4844
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3740
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:3512
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3352
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3252
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3252 -s 984
          2⤵
          • Program crash
          PID:1080
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
        • C:\Users\Admin\AppData\Local\Temp\3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe
          "C:\Users\Admin\AppData\Local\Temp\3a5d3a1e64612ee7d7dda35761f983a1d3b7bcd42afe32ee67e9438a4e96aceb.exe"
          2⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1656
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 424 -p 3252 -ip 3252
        1⤵
          PID:4688

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\toeqdbl.dat
          Filesize

          244KB

          MD5

          be297f52018cebfad9af9b432a53af29

          SHA1

          5111aa620f29b77048b5da629336923ff1e3cf25

          SHA256

          fb99ca1d7e660b909e35801658ee556eb1e39b5b65c2d09f4824de332c0085fb

          SHA512

          4bae920dd7fbce22284749c38812f15d97fee6d3ca66288d875a72922586c032f9cc80d236c64687b1c495972870109e73be5ca5ad313b98aedabe5d357c054c

          Download Submit

        • C:\ProgramData\toeqdbl.dat
          Filesize

          244KB

          MD5

          be297f52018cebfad9af9b432a53af29

          SHA1

          5111aa620f29b77048b5da629336923ff1e3cf25

          SHA256

          fb99ca1d7e660b909e35801658ee556eb1e39b5b65c2d09f4824de332c0085fb

          SHA512

          4bae920dd7fbce22284749c38812f15d97fee6d3ca66288d875a72922586c032f9cc80d236c64687b1c495972870109e73be5ca5ad313b98aedabe5d357c054c

          Download Submit

        • memory/1656-155-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1656-135-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1656-133-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/1656-138-0x0000000010000000-0x000000001004C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1656-154-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/1656-132-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2484-139-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2484-140-0x0000000000FB0000-0x0000000000FFD000-memory.dmp

          Filesize

          308KB

          Download

        • memory/2484-141-0x000001D245B50000-0x000001D245BB8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/2556-144-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2556-145-0x0000000008500000-0x0000000008568000-memory.dmp

          Filesize

          416KB

          Download

        • memory/2604-143-0x000001DCA6810000-0x000001DCA6878000-memory.dmp

          Filesize

          416KB

          Download

        • memory/2604-142-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3352-147-0x000002259AD90000-0x000002259ADF8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3352-146-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3420-148-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3420-149-0x0000027FD0360000-0x0000027FD03C8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3740-150-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3740-151-0x0000027359E30000-0x0000027359E98000-memory.dmp

          Filesize

          416KB

          Download

        • memory/4844-152-0x00007FF9239B0000-0x00007FF9239B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4844-153-0x0000022672A40000-0x0000022672AA8000-memory.dmp

          Filesize

          416KB

          Download