Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

137d99c10c...e0.exe

windows7-x64

8

137d99c10c...e0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    82s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 14:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe

  • Size

    122KB

  • MD5

    0433c60a249730829b9df7c66585280a

  • SHA1

    a578a54514a0faf9f00435d153ec74ccb803f0c4

  • SHA256

    137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0

  • SHA512

    cbdd16addb2c72082b7fdb713225203d6ed6640e9ff827f4f40147ea17830d436a535564536a0a2118b0f9c8d92b0a87e11976d93d9bc42f079456698d230be5

  • SSDEEP

    3072:sufO+VTTywpp4PcShif3MKyeI7+uhmqWMGrsN4s/u:9NTywr4vif3MwY+uhfN5G

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
    "C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
      C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
      2⤵
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\syswow64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        3⤵
        • Adds policy Run key to start application
        • Deletes itself
        • Drops file in Program Files directory
        PID:584
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1932

Network

  • flag-us
    DNS
    www.update.microsoft.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.update.microsoft.com
    IN A
    Response
    www.update.microsoft.com
    IN CNAME
    redir.update.msft.com.trafficmanager.net
    redir.update.msft.com.trafficmanager.net
    IN A
    20.109.209.108
  • 20.109.209.108:80
    www.update.microsoft.com
    svchost.exe
    144 B
     92 B
     3
    2
  • 91.234.104.132:80
    svchost.exe
    152 B
     3
  • 91.234.104.132:80
    svchost.exe
    152 B
     3
  • 8.8.8.8:53
    www.update.microsoft.com
    dns
    svchost.exe
    70 B
     140 B
     1
    1

    DNS Request

    www.update.microsoft.com

    DNS Response

    20.109.209.108

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Confirmation - Votre IPad-le-dernier-produit-Apple.jpg
    Filesize

    32KB

    MD5

    c48967ee653ab1279276a35d4bcfa8a0

    SHA1

    44e7b00112425ad9a44228012d5723430acff9d2

    SHA256

    32b8d4a3c5a1a4a08a80821198f54bb2b0d956b1229b0ad8727cd60b6108b80a

    SHA512

    18e268c4e2b36c06e82a9e9061e0df14526d23722def7b6d0dbe19e647ed3320400f5176e886a16fd18018e669bf82321ea03d9e22a83726db649c990f25cda1

    Download Submit

  • memory/268-66-0x0000000000401000-0x0000000000405000-memory.dmp

    Filesize

    16KB

    Download

  • memory/268-57-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/268-58-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/268-60-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/584-70-0x0000000000030000-0x0000000000035000-memory.dmp

    Filesize

    20KB

    Download

  • memory/584-69-0x0000000000030000-0x0000000000035000-memory.dmp

    Filesize

    20KB

    Download

  • memory/584-68-0x0000000000620000-0x0000000000628000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1672-63-0x0000000074170000-0x000000007471B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1672-55-0x0000000074170000-0x000000007471B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1672-56-0x0000000002065000-0x0000000002076000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1672-64-0x0000000002065000-0x0000000002076000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.