Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

21cbedb0b2...7b.exe

windows7-x64

8

21cbedb0b2...7b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    14s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21cbedb0b2d9a139adce337672851bda35cffc972bf20f490040483eda45337b.exe

  • Size

    80KB

  • MD5

    0bf986be40980fd38c6d39e61167a9af

  • SHA1

    40bf3a6018b57bce24ef1db12bd92df6f130de37

  • SHA256

    21cbedb0b2d9a139adce337672851bda35cffc972bf20f490040483eda45337b

  • SHA512

    729b02302c4fc70900c9813673acb37c69f71e68792dea0dc8aedcbd235db92b2a43d17740f8659591da8c2c45931bcfbc3dc2732e00e0c80b4a6cd4aae83e4b

  • SSDEEP

    1536:ZnKZViWUC/JV16uXKNhOiFuCx9pmiG0si+p+InQ5gk:Z0ViWhz161fog9pVG0snnXk

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21cbedb0b2d9a139adce337672851bda35cffc972bf20f490040483eda45337b.exe
    "C:\Users\Admin\AppData\Local\Temp\21cbedb0b2d9a139adce337672851bda35cffc972bf20f490040483eda45337b.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
      C:\Windows\system32\jfdfcewiuu\explorer.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4132
      • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
        C:\Windows\system32\jfdfcewiuu\explorer.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
          C:\Windows\system32\jfdfcewiuu\explorer.exe
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:508
          • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
            C:\Windows\system32\jfdfcewiuu\explorer.exe
            5⤵
              PID:1028
              • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                C:\Windows\system32\jfdfcewiuu\explorer.exe
                6⤵
                  PID:4812
                  • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                    C:\Windows\system32\jfdfcewiuu\explorer.exe
                    7⤵
                      PID:1508
                      • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                        C:\Windows\system32\jfdfcewiuu\explorer.exe
                        8⤵
                          PID:4672
                          • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                            C:\Windows\system32\jfdfcewiuu\explorer.exe
                            9⤵
                              PID:1376
                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  C:\Windows\system32\ykndywlqab\smss.exe
                  3⤵
                    PID:1576
                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  C:\Windows\system32\ykndywlqab\smss.exe
                  2⤵
                    PID:1400

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  43KB

                  MD5

                  1b99271f6344ef8fe71f4949e27808ac

                  SHA1

                  9760f651a5688359925d9ee7ae2845d2951fe124

                  SHA256

                  4702f2740e74384646c4078a32fe6837fa5a611f760172cb23c672ae97508166

                  SHA512

                  ace6c513e07934bcf63fe9a21a22b1b8072521979852fb7a71fd7781c53bc786deb7f8b0e22674648c4b0391b137b06757650e99519be9822df641aceb8cf5d3

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  35KB

                  MD5

                  b20c6e8f55f89de724c49450b551c338

                  SHA1

                  edb9728dd620a3b8e5e53241d35b3fdb712d5f3b

                  SHA256

                  7d95becaded205f71bb4e5b44f2bc02f5e9c0e4f2467e4100af038fdfb5ab47b

                  SHA512

                  de9136e707c82994a60ffb488f69c890a69152503d89dddf638c21c16daaef5c9a950c8377b9ef6ef0fab8d8ac7fa246d83d9eac185392b01ce45ebce1844a5b

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  25KB

                  MD5

                  7706f8beb3d6c2141184d854addfe6a8

                  SHA1

                  159f014cd6924b0c62c1e98d6cf0a860ebe7a0b9

                  SHA256

                  542b9fe9f478cd72f2b822b8e8d55fc89baa729f5fc577cca97d68c92932e459

                  SHA512

                  386dbf3f3379522805d7b1b6f97ea007558b11097d297b8b8b9a98eb2c3016413ed07af8ff48ee4bf64598bfbf8fbc1ccc330d4ffa517c05abe85d3cb304665d

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  27KB

                  MD5

                  f8baf40f018f5b7d9dbf0fb6a2baf89a

                  SHA1

                  3643a31fa410423a18a09c40271c1e25e5366637

                  SHA256

                  725b3acac8a6857c7dcf92acb1b49b036a127be5043f01df729d3481f039aefa

                  SHA512

                  3699213a6776658310b74ead5440141c5063e8dee15e441b17326680a847ee409ebcf92b3b674323641c6541f1810cde4319b262ee76f4d3d39125fbc25549b6

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  24KB

                  MD5

                  6b60b9ff538873a05a1d6761accbfebf

                  SHA1

                  9883d25101d90fc2993aa3df7cecb96e62191f85

                  SHA256

                  b1abffd501bcf323668dced2c8174629af4597439319538c308fd8d4450653ef

                  SHA512

                  a0a44999b67cec8264e91d211d537a3ff0d7ec5ebb42fb7f8c8764e234d331d1f2f31f72a18ea2fc110946b6691af493f6977ad1183e984bc961d55876b949d6

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  36KB

                  MD5

                  de5175844ba977ff129ea4ea8090ad9b

                  SHA1

                  4aa116a1dabb4a8a72c0d56d0de1c3645521a964

                  SHA256

                  5f926b54c1977908bcfb5810dcc7ef2e7d584d470b3e469485a9f0621f90e002

                  SHA512

                  9f73c932f7b73a6e818c60d7e2a6bdeb3c57c5059a55df72e26cdf8a760af27d6493b9c9c05b84774366c24e6ce0a9363479143bf2d6109a3a6b2e5f93987a28

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  26KB

                  MD5

                  0437846bcdf576ed2d61149fc1c60cc3

                  SHA1

                  942348b05d7d8cc1a172bb74b82389d249eab1ed

                  SHA256

                  402a7a74355946415a4c4443707bbf71bf0d9b4c0b29ee3f866067164650aa14

                  SHA512

                  f390abe975c2ada8897823085f9c6bb2c9735544ffcc55e72b53987de4ebefe6332880ef0b3cbbf9d578d9910d97b565a07c6fbdd6fabe3888a91badb5713a11

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  14KB

                  MD5

                  0307626d8d755981618a65a66147d04c

                  SHA1

                  9b9ce7adcd2381ebb58ef30e88bdd33ec220b965

                  SHA256

                  12803c251cbc5a91f7398da9796d862682b8e0f05742211a5a39252df7a926ae

                  SHA512

                  1c101ce214e48ab179762824c254b20275c03b0380858304be50c9ce182700892a97f1eafef10d92a2cb767fa1026d215055505a8c38a5cb3f4840a1594ea945

                  Download Submit

                • C:\Windows\SysWOW64\jfdfcewiuu\explorer.exe
                  Filesize

                  22KB

                  MD5

                  1d18a1d90aaf8e2cecb7e1670f9396a9

                  SHA1

                  f66ff115f571f49fac292f0cffbcafba2dc6d8db

                  SHA256

                  93e0f77780d58e78bfed15f0ab273790a5d997e0c602f4d91e5abfe33c2c707c

                  SHA512

                  de47a3dbb02ff78858d0cec82aa6be671729b01d9936d74a9d315bed77372d879a4b78d10e98b568b8ca6e6807d1ec0ca7865f61279894d0d15be6d4b59625a9

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  23KB

                  MD5

                  843fbbcea19ec8cd092a1f2d6c4e5d12

                  SHA1

                  b2c217b663ad819583924caf5bf3c55bb5feae47

                  SHA256

                  e92eaa54af5ed6fab088a6255ef738d8b9c6f5d3c4e0ecdfd25247e05b649b72

                  SHA512

                  65fd6da76f132a6b8cc7ad937b721a0a95783ec16edf263dd2662a36beb11c40b3e9868d7bcafcd0187551c01776206d3e81857432715e03f4769d0185eb3805

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  14KB

                  MD5

                  80bb1297c93096db58286a502386b753

                  SHA1

                  29dba4bac670b3c5e80152ade03b0eebd57bdcd4

                  SHA256

                  a66d594e5c890f9b48dfbd06c3fe1b7fdc0f198432e0c15a981088cfa7dde87c

                  SHA512

                  eb7608f14844fea0dde4ca6bd96568349c2fd8bdb6a34e7ef3f57cee955ee8e57c2ab2e3fcdb9f6f66cddc1a61de323abb359cacf0551faa5fd9d231d8ffa74c

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  38KB

                  MD5

                  9ea456920251055677373e52b2dc8e4f

                  SHA1

                  f996a06f4d1863d925239ba1bdfdf657797e0bb0

                  SHA256

                  85e9049e7f62f1ee7cbbc38dff86ad379d31df0554c836f99b544b103633118a

                  SHA512

                  65479be4c5d52fa314f68c22d67f6e42541173eddb5a9cf2e24fa2490c8bfecc312925f0d472b1fd4e6385e001fcc169569af1f385f6025584e05a98ac4a1cbd

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  20KB

                  MD5

                  1dfb82ee308c13ab5c9f87a3b4212b0a

                  SHA1

                  b96948fb1af18fd10fa96e7e029c5d2e7756d2f4

                  SHA256

                  991827460c483b3b2c8a97331c5208987a9f6ec425554993ab714b4adcc05e8d

                  SHA512

                  810075af89f9aa5861f68b83f43f0676dddf98418c333d040e929f2c23935ac5ab07b612090da6435b35e34f8be849214ef8b1254bc444e55ad52f2124e9b0d3

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  25KB

                  MD5

                  eca990a19b87bc1ad585ed5d25cddb8f

                  SHA1

                  9a4b0a83c700602f85ddc2647098ac9b3a811abc

                  SHA256

                  9c7cc038ab30c53982ccccddbee831255a407d468d2bc3b89912431d921e7915

                  SHA512

                  8ef8acf22bc74b9de41bf3c9ddf2b90fabf2ed81165045c89a3de5eff1c950bb6e5e1b62f0eeedd6a82eaef33a76ef65ad6f4fd513b05429edc9dc4de557f598

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  14KB

                  MD5

                  4a4ba17abd78094dbd1573d7ac1cd196

                  SHA1

                  0e3a2f96a4f934382878013c55f249900b8b88be

                  SHA256

                  929beaa57cb136ccee10717aab40f6baf5274a6efded422ef0e338f9dddef3ab

                  SHA512

                  5d1dab1e776b55c65bdb08001fd93afc6b93188ee9a0d348ec55f473f809696c68770d5009c7c3f338d13c3c78a1523ea4256ded8734057229f47d6b31d5b4c4

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  35KB

                  MD5

                  6482f009d108bca9c5ae9ab43a0babfc

                  SHA1

                  1c4eb61f2de2d9da0b82d2713994e4e30bdf0506

                  SHA256

                  63e2b4fdbd412bb306c336375e9e3ba32384c34552f65b7dd51c98824119ea89

                  SHA512

                  1e28044bb3ca15dea850670ebe4b901c2e0f34d58de8f362a66ed6793bd2eb6a0479b0b03eb41420d7e36d657e85a9ee2638943b838e74ff8f3546618b4eb28c

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  12KB

                  MD5

                  2d62b7c48539bce8fb1d2efbc28483f4

                  SHA1

                  fbc1950447aede65e314ade8b3c04d4330b922d5

                  SHA256

                  74ede66c5276fe14d258864469320b6b80af1cfae29d1fdbd590045a6af55df2

                  SHA512

                  567190a47765730005db2da3b526cc774560c6b64ccb2505c7ae01fcb5961314105ca00badf559f5ada4c251837003adfc453277990bb6c0bc958919a8d6b49e

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  24KB

                  MD5

                  66d1ec77d8e59fcc999623330f0742af

                  SHA1

                  d76ec311b197bf1c5b204ea50d8ef5ee4d1ffad9

                  SHA256

                  295cedcb80cdc686d96abe761e46cab0f5f5ad56c303230094683a15826a2ba9

                  SHA512

                  3d589a53ef9b04845f8263fac07242486d8389e87f79fd67f25429a401e9686ddc2aba9b6ab00394b9382dd179a970741376640d6b033d5ceb1d47b093ce4345

                  Download Submit

                • C:\Windows\SysWOW64\ykndywlqab\smss.exe
                  Filesize

                  69KB

                  MD5

                  5291a009c308aed1b5cc27fc1477b077

                  SHA1

                  67466cf37591b8020c4727729fffe42ec5259a26

                  SHA256

                  e3790f2632523e20ee5c72ce0179ee3e6a5dbcaf866505c150bd8eb8c733a466

                  SHA512

                  57f7b931dd418a6bdcfc3ed95ebb1a16dededce29c5d108c032e7e94035aafe6f2d8d421206e1b5c83b00a81e57fc5b740d6f41872ef91fd8980a75d09bf0af8

                  Download Submit

                • memory/508-146-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/508-156-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1028-150-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1028-161-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1400-170-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1504-140-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1504-151-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1508-160-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1508-171-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1576-177-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/2604-132-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/2604-142-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4132-145-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4132-136-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4672-166-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4672-178-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4812-165-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4812-155-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download