Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

a4c18f72f8...b9.exe

windows7-x64

10

a4c18f72f8...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2022, 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4c18f72f80949c26e154dce20c5acd9891fc1c89891060c69486ceadd1a75b9.exe

  • Size

    484KB

  • MD5

    656edb8f3d3b124a7c28a70b39d67179

  • SHA1

    b8382b930a3be717d2c371e4c0c00e2bf6f08c01

  • SHA256

    a4c18f72f80949c26e154dce20c5acd9891fc1c89891060c69486ceadd1a75b9

  • SHA512

    6b6f22d2adb9733453dc032a614d44fcaa2fd9d567b57d686ce90fe6f78a733e2276df38683bd5ee14ac6ab6dd98309cafd7bb5dde838674e181d6d1e8b8be26

  • SSDEEP

    12288:RoUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:h92ILECd0R15XZS3QafpDNUQ

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4c18f72f80949c26e154dce20c5acd9891fc1c89891060c69486ceadd1a75b9.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c18f72f80949c26e154dce20c5acd9891fc1c89891060c69486ceadd1a75b9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\LB9c4j3K.exe
      C:\Users\Admin\LB9c4j3K.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Users\Admin\giexoub.exe
        "C:\Users\Admin\giexoub.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1424
    • C:\Users\Admin\aahost.exe
      C:\Users\Admin\aahost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Users\Admin\aahost.exe
        "C:\Users\Admin\aahost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1860
    • C:\Users\Admin\bshost.exe
      C:\Users\Admin\bshost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:688
      • C:\Users\Admin\dyhost.exe
        C:\Users\Admin\dyhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3100
      • C:\Users\Admin\ekhost.exe
        C:\Users\Admin\ekhost.exe
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del a4c18f72f80949c26e154dce20c5acd9891fc1c89891060c69486ceadd1a75b9.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3932

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\LB9c4j3K.exe
      Filesize

      212KB

      MD5

      fa0eb2a8b561ea9afc6a51709ff0d7de

      SHA1

      4ef5265f5b5bb1a4857e7668f132405c799da155

      SHA256

      99ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f

      SHA512

      0e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6

      Download Submit

    • C:\Users\Admin\LB9c4j3K.exe
      Filesize

      212KB

      MD5

      fa0eb2a8b561ea9afc6a51709ff0d7de

      SHA1

      4ef5265f5b5bb1a4857e7668f132405c799da155

      SHA256

      99ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f

      SHA512

      0e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\bshost.exe
      Filesize

      260KB

      MD5

      bbc0a2fe1284778896b57ffc5701aefa

      SHA1

      6b9a0106b82c63265936ce728a858d258c8f6b14

      SHA256

      92fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0

      SHA512

      8a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930

      Download Submit

    • C:\Users\Admin\bshost.exe
      Filesize

      260KB

      MD5

      bbc0a2fe1284778896b57ffc5701aefa

      SHA1

      6b9a0106b82c63265936ce728a858d258c8f6b14

      SHA256

      92fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0

      SHA512

      8a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      48KB

      MD5

      d46eb4bf816ed9978636de7955245323

      SHA1

      c474df60a83302e0d010d11dcebd7cdb3cc22866

      SHA256

      2ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd

      SHA512

      e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      48KB

      MD5

      d46eb4bf816ed9978636de7955245323

      SHA1

      c474df60a83302e0d010d11dcebd7cdb3cc22866

      SHA256

      2ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd

      SHA512

      e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef

      Download Submit

    • C:\Users\Admin\ekhost.exe
      Filesize

      24KB

      MD5

      9fe0e5252dc24fc1788b0d8b26026807

      SHA1

      21e3063a0fac1157b9707861048c5f7fbd070ceb

      SHA256

      9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

      SHA512

      613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

      Download Submit

    • C:\Users\Admin\ekhost.exe
      Filesize

      24KB

      MD5

      9fe0e5252dc24fc1788b0d8b26026807

      SHA1

      21e3063a0fac1157b9707861048c5f7fbd070ceb

      SHA256

      9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

      SHA512

      613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

      Download Submit

    • C:\Users\Admin\giexoub.exe
      Filesize

      212KB

      MD5

      2d3b024b3c3000239efa0f61fe687158

      SHA1

      86b43c3d2e42097356bf52922e9ade2204838e42

      SHA256

      6bb1138d6ead3d9d56b3f71982c3a6e8c5fecde56c2a430ec68f35c62bb8ffec

      SHA512

      a7cd22da9580a51e99bb3e2e2e69f257b55bb156cce069187d3d28d81690381f23a0e6ca07d6619b7ada7f5b089917aa172b7b795d76ae24d2952f6d6999688d

      Download Submit

    • C:\Users\Admin\giexoub.exe
      Filesize

      212KB

      MD5

      2d3b024b3c3000239efa0f61fe687158

      SHA1

      86b43c3d2e42097356bf52922e9ade2204838e42

      SHA256

      6bb1138d6ead3d9d56b3f71982c3a6e8c5fecde56c2a430ec68f35c62bb8ffec

      SHA512

      a7cd22da9580a51e99bb3e2e2e69f257b55bb156cce069187d3d28d81690381f23a0e6ca07d6619b7ada7f5b089917aa172b7b795d76ae24d2952f6d6999688d

      Download Submit

    • memory/1508-164-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1508-162-0x00000000008D0000-0x0000000000914000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1508-161-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1860-145-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1860-150-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1860-149-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1860-148-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download