Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

9cb054034c...29.exe

windows7-x64

10

9cb054034c...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/10/2022, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe

  • Size

    1.0MB

  • MD5

    0f2505b4e2152e859332b9606396099b

  • SHA1

    0c31cea8f55d46b278a128c3429f88171f5b5d13

  • SHA256

    9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29

  • SHA512

    9f8c105e6fad955b04d59d94c2ed237e5978b9fb0c2be32dfe3c40e8ee7cba4d62d41ee5394531eade957ad3a8839e14a5ebeb0e42d440181c1335e8d3e5eecf

  • SSDEEP

    24576:PmUNJyJqb1FcMap2ATT5kmUNJyJqb1FcMap2ATT5kmUNJyJqb1FcMap2ATT5:PmV2ApkmV2ApkmV2Ap

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
    "C:\Users\Admin\AppData\Local\Temp\9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:4700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    1.0MB

    MD5

    17d74ad3d174654d7f7c1a1cc53cecfe

    SHA1

    3a53989620a7aaa8ec02f80c1d9880407fd6c2d4

    SHA256

    f5b4ce933f91d6cff55e87fcfe4ba79b68307c53342728113aedcc43a6fe2477

    SHA512

    71aaf654370b16e1ffd21ae8ddcb8487c2be63a04177df728bc1ec5b0c0a04909d4c1267b1ede064750551bcbb84f89ca3add288890cafef6753e816db607a9d

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    1.0MB

    MD5

    17d74ad3d174654d7f7c1a1cc53cecfe

    SHA1

    3a53989620a7aaa8ec02f80c1d9880407fd6c2d4

    SHA256

    f5b4ce933f91d6cff55e87fcfe4ba79b68307c53342728113aedcc43a6fe2477

    SHA512

    71aaf654370b16e1ffd21ae8ddcb8487c2be63a04177df728bc1ec5b0c0a04909d4c1267b1ede064750551bcbb84f89ca3add288890cafef6753e816db607a9d

    Download Submit

  • memory/4700-135-0x0000000002900000-0x00000000029A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/4700-136-0x0000000002AF0000-0x0000000002BA6000-memory.dmp

    Filesize

    728KB

    Download