Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 13:15 UTC

General

  • Target

    4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe

  • Size

    179KB

  • MD5

    045246283d63b1757196f302232c8900

  • SHA1

    b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead

  • SHA256

    4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe

  • SHA512

    37fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f

  • SSDEEP

    3072:QWceId2Z+oWP9XEdIJ4/+p6kzATcngTdIY8BkP38mOo6EwBjj:QWcFdtosXEd+4XkOdIvqP38mOoz

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe
    "C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe
      "C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Users\Admin\AppData\Roaming\Wjzbzx.exe
        "C:\Users\Admin\AppData\Roaming\Wjzbzx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Users\Admin\AppData\Roaming\Wjzbzx.exe
          "C:\Users\Admin\AppData\Roaming\Wjzbzx.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3116
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:916
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4580
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:448

Network

  • flag-us
    DNS
    api.bing.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • 20.44.10.122:443
    322 B
    7
  • 8.238.21.126:80
    322 B
    7
  • 8.238.21.126:80
    322 B
    7
  • 8.238.21.126:80
    322 B
    7
  • 8.238.24.126:80
    46 B
    40 B
    1
    1
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    IEXPLORE.EXE
    1.2kB
    8.1kB
    15
    14
  • 8.8.8.8:53
    api.bing.com
    dns
    IEXPLORE.EXE
    58 B
    134 B
    1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    5f49b65bdc1713b58ed97d0e9625a968

    SHA1

    84b74e55478c9abb163aa6629e3fd3b91bed4806

    SHA256

    a681ab9abc281fd12a7bd06f56e36a21e8ee28b5294815c5e07b781e324a32f9

    SHA512

    4b502288bef324db8ad33e63c7b6f242ef7954a6fbec3ed012530044c82fee3ad1158febe088bc0deea67ac35646a0a1bd6d961c0f67b11fee584e4f1abd753a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    434B

    MD5

    74f0c8c4643c2e7196bc3f5b7ac3e77c

    SHA1

    35f727e574c57cd8c7efcd2eb43f5a29382e226e

    SHA256

    26c87d8eee64b68f1364f0af32600294a5995c6df0b107371f2f14c1599b63bd

    SHA512

    33193b8a64118ec63d73553d21dcfab3275623a46744f6b5337dea14626b7df7ba3baf79444499dfd3ef505f68c8b390d9e1260a000673fb5f26cf03e71ebc48

  • C:\Users\Admin\AppData\Roaming\Wjzbzx.exe

    Filesize

    179KB

    MD5

    045246283d63b1757196f302232c8900

    SHA1

    b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead

    SHA256

    4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe

    SHA512

    37fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f

  • C:\Users\Admin\AppData\Roaming\Wjzbzx.exe

    Filesize

    179KB

    MD5

    045246283d63b1757196f302232c8900

    SHA1

    b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead

    SHA256

    4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe

    SHA512

    37fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f

  • C:\Users\Admin\AppData\Roaming\Wjzbzx.exe

    Filesize

    179KB

    MD5

    045246283d63b1757196f302232c8900

    SHA1

    b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead

    SHA256

    4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe

    SHA512

    37fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f

  • memory/1400-136-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1400-132-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/3116-148-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3116-149-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4440-142-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4440-138-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4440-137-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4440-134-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.