Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f26c9ffa3f...86.exe

windows7-x64

10

f26c9ffa3f...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886.exe

  • Size

    136KB

  • MD5

    fb9e829aa297d5563b52bd4c23cea20f

  • SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

  • SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

  • SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

  • SSDEEP

    3072:4HXJr2sw7dtCkGdDYjWL1/jfAv6z1GUOH1wSMBGEbBsM27Pf:4HXh2sw7dtCkdwXz1G3HbB7

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886.exe
    "C:\Users\Admin\AppData\Local\Temp\f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable profile=all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode mode=disable profile=all
        3⤵
        • Modifies Windows Firewall
        PID:1732
    • C:\Users\Admin\AppData\Roaming\win32Runtime.exe
      "C:\Users\Admin\AppData\Roaming\win32Runtime.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1072
      • C:\Users\Admin\AppData\Roaming\rundlll.exe
        "C:\Users\Admin\AppData\Roaming\rundlll.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable profile=all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable profile=all
          4⤵
          • Modifies Windows Firewall
          PID:1760
    • C:\Users\Admin\AppData\Roaming\rundlll.exe
      "C:\Users\Admin\AppData\Roaming\rundlll.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:452
    • C:\Users\Admin\AppData\Roaming\AvProtector.exe
      "C:\Users\Admin\AppData\Roaming\AvProtector.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1912
    • C:\Users\Admin\AppData\Roaming\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\scvhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AvProtector.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rundlll.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rundlll.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\scvhost.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\win32Runtime.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • \Users\Admin\AppData\Roaming\AvProtector.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • \Users\Admin\AppData\Roaming\rundlll.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • \Users\Admin\AppData\Roaming\scvhost.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • \Users\Admin\AppData\Roaming\win32Runtime.exe
    Filesize

    136KB

    MD5

    fb9e829aa297d5563b52bd4c23cea20f

    SHA1

    507722663b4c12ea7749b50fe59bc53b0fbc74a1

    SHA256

    f26c9ffa3f9ba26a2403a8bf8949f88d7988482a3b7e2270f1e488ffc1df1886

    SHA512

    cd97a65902bf92da9a3552a0292a77fb1e517ea2c607333aa505e47a11227c3224a50a5a529af8c15b84dfe9b3e630bc8a02527c25dc3557da8bb0d9b12601ae

    Download Submit

  • memory/1732-56-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

    Filesize

    8KB

    Download