ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

ec589dcb72...f5.exe

windows7-x64

ec589dcb72...f5.exe

windows10-2004-x64

Sharing

General

Target

ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5
Size

312KB
Sample

221020-xz55ksbbe8
MD5

4588d6515198e39f1b4f42d3873650a0
SHA1

bc9be43667c91ab79cbd6ed75b572602f95c90c1
SHA256

ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5
SHA512

b7580f60785ce34981657d1a2ffe1a36a34b34b88c225c5fee35ae5841024b6c2194945553c0365819ee8b704251ea7ec375f2944549133e1de61f6f3b707cb3
SSDEEP

6144:wRDQklQdJvUq2S9x9bXlw0x4RtLcjXHt7FBaNrWMarMWkwHEo:wRDQklQdJvUhShXS00LcjHthKK1rRao

Score

10^/10

evasion persistence

Static task

static1

Behavioral task

behavioral1

Sample

ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5.exe

Resource

win7-20220812-en

evasion persistence

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5.exe

Resource

win10v2004-20220812-en

evasion persistence

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5
- Size
  
  312KB
- MD5
  
  4588d6515198e39f1b4f42d3873650a0
- SHA1
  
  bc9be43667c91ab79cbd6ed75b572602f95c90c1
- SHA256
  
  ec589dcb72e74209d47a1f6ed8e9a1e16250851df9c06c8b9b196499edf01cf5
- SHA512
  
  b7580f60785ce34981657d1a2ffe1a36a34b34b88c225c5fee35ae5841024b6c2194945553c0365819ee8b704251ea7ec375f2944549133e1de61f6f3b707cb3
- SSDEEP
  
  6144:wRDQklQdJvUq2S9x9bXlw0x4RtLcjXHt7FBaNrWMarMWkwHEo:wRDQklQdJvUhShXS00LcjHthKK1rRao
Score

10^/10

evasion persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence

© 2018-2025

Terms | Privacy