Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

10293781bf...a3.exe

windows7-x64

8

10293781bf...a3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    106s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe

  • Size

    156KB

  • MD5

    51c310181e3fed26d58655bd3cf171c0

  • SHA1

    c2d050a868da1143e3627c81c41a1ba5420645d9

  • SHA256

    10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3

  • SHA512

    391d43e4477ca907c7af228f48f5021b16d70551e2e87f303edd74b7f853608fb4641d6fc4ba8027b43bf63554af872641333c17a33efcb841d36354946ca74b

  • SSDEEP

    3072:O6M0dATPzlXJjHL/F9BRqKY5ntwexnLEHCGv:OMEzlZjHL/F9B0KY5ntP1EHtv

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
    "C:\Users\Admin\AppData\Local\Temp\10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\SysWOW64\sc.exe
      sc.exe stop KWatchSvc
      2⤵
      • Launches sc.exe
      PID:2032
    • C:\Windows\SysWOW64\sc.exe
      sc.exe delete KWatchSvc
      2⤵
      • Launches sc.exe
      PID:2040
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
          4⤵
          • Loads dropped DLL
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\xpsp11res.dll
    Filesize

    64KB

    MD5

    2525aaa5235d0162c375cc9d6e913d4b

    SHA1

    e3c0ebcd75bd28611e7cfe5928fb1288d256d07f

    SHA256

    28318f923a63c8c609f2fc2ff8f9926325503e8db33768b20d397d91d45f99de

    SHA512

    51a4a3c379f8ee6bf43126b1535ea1846f23acd891724a0729df678f8487edbb7ef8108b6c6b1ba7bccf563c57be1a5e5cf71d2ced0fd2e2cb70192cafcb518a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8RHE01CK.txt
    Filesize

    606B

    MD5

    ba6dcd5501bd22a1d339f515763a5809

    SHA1

    e5edead536551c59f273e2b7152a5a19e4c16d9b

    SHA256

    473bdd661f6aa7b9f100802ab100fe38581532d4b1ad3713e67139c963606b58

    SHA512

    1fbe2801bf3c7b023b5804584d57676f3b459ec3ea6ff7d39057006093059bd9deaa4770b924785fee5eba99c5a94d36cd501260ae6f11296f1d106ceb5ca6f7

    Download Submit

  • \Program Files (x86)\Common Files\xp11update.exe
    Filesize

    156KB

    MD5

    51c310181e3fed26d58655bd3cf171c0

    SHA1

    c2d050a868da1143e3627c81c41a1ba5420645d9

    SHA256

    10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3

    SHA512

    391d43e4477ca907c7af228f48f5021b16d70551e2e87f303edd74b7f853608fb4641d6fc4ba8027b43bf63554af872641333c17a33efcb841d36354946ca74b

    Download Submit

  • \Program Files (x86)\Common Files\xpsp11res.dll
    Filesize

    64KB

    MD5

    2525aaa5235d0162c375cc9d6e913d4b

    SHA1

    e3c0ebcd75bd28611e7cfe5928fb1288d256d07f

    SHA256

    28318f923a63c8c609f2fc2ff8f9926325503e8db33768b20d397d91d45f99de

    SHA512

    51a4a3c379f8ee6bf43126b1535ea1846f23acd891724a0729df678f8487edbb7ef8108b6c6b1ba7bccf563c57be1a5e5cf71d2ced0fd2e2cb70192cafcb518a

    Download Submit

  • memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

    Filesize

    8KB

    Download