Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

ca1b26438c...2b.exe

windows7-x64

8

ca1b26438c...2b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca1b26438cac897c0d3ae3da5c680a66442e84763ffe0ed404bbc94539bac62b.exe

  • Size

    349KB

  • MD5

    0d61814785eb1776ccb70b0899e2d81f

  • SHA1

    f49aff6501da4b8d41761f68c7d2445bfceb32ce

  • SHA256

    ca1b26438cac897c0d3ae3da5c680a66442e84763ffe0ed404bbc94539bac62b

  • SHA512

    c4e8e911ccdec315a3951bd89a34dbeada9fa8b787d0f8e86ba38a9de39421319e20e22e15740829fa818a6c48856ff3fa757e9436d6305aace3d9e9fbc781ef

  • SSDEEP

    6144:ye340Hnu/EJXAF8u1qBhGNy4909VezjiGF+nh9CUZLcb+FPJ:yEJXs1q2N1906jidGUZLcb+FPJ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca1b26438cac897c0d3ae3da5c680a66442e84763ffe0ed404bbc94539bac62b.exe
    "C:\Users\Admin\AppData\Local\Temp\ca1b26438cac897c0d3ae3da5c680a66442e84763ffe0ed404bbc94539bac62b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk33.icw"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWow64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk33.icw"
        3⤵
          PID:816
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:628
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:272

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\EditPlus\kk33.icw
      Filesize

      132B

      MD5

      1ea58bdaf340b6242eb164a7b3cf504a

      SHA1

      32f9fe33357d610615acf3f1054c03a77d43af52

      SHA256

      ba49b5bfda6c0fd2200d4c7a853c71348e296487d7fbcc4d3a6871d19ff4cda8

      SHA512

      0f30378abce69e8b92e8b69b49c9384a4501de5a64e6ba978fed5fe33caf2bc0488c32f87a34510555f5e927d3f7e75307a9933e592372159a9e9ecf8a928f93

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AAF2PHWI.txt
      Filesize

      608B

      MD5

      5ba3c0fcd661c422eeb9a837c3e15c01

      SHA1

      0cb3c6e78230a57b71f00bad9e1859e4ff4430d1

      SHA256

      bb7f37cfeb965d99d266cfa36fdfbf011254f110bd9f0a33f5402a1dc5b4271a

      SHA512

      e334bb6e57a21c141179d106c05da663ca2a6104e07f694ca9adf377833c2053854ddba144585f2d2f3c7c9ece56fd007c256d8a0c81cd69282b30ebcec5b23d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk33.icw
      Filesize

      842B

      MD5

      cef40a62b615883ae4ac46512ae83570

      SHA1

      b916dd1fcd6ebd7a3a24c65413d4d07d443007dc

      SHA256

      9f5b8af4a198a2e05c190e736a11545c4708da665e3b1810dcfdb7b95906ade8

      SHA512

      80d9391106a1af35d3a56e90f662aded1fca819c6aa3abd7639b7195168e2b2481a47c6e4aa14061994e34cfc69196e9bcefa1b2c69fc24e8512b4132915bfd4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
      Filesize

      80KB

      MD5

      cdadfa1995ac40ecdd51e83c0d67bf4f

      SHA1

      aa076ea83d578e4057ff9fd1e7923a497c133e8a

      SHA256

      56afc62c43b35ede478c5047be22cd8910022baa1d2d18108088009692e6fbd2

      SHA512

      75d44c6f643ba1711d823de2314734b2618df5408c4f2bc153796489452e73b15f9bff531fe23b0c34fc5259e6846bc399e17b50d2ce3e3f0d90bfc412eec5d9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nstD3C.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nstD3C.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      acc2b699edfea5bf5aae45aba3a41e96

      SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

      SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

      SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
      Filesize

      80KB

      MD5

      cdadfa1995ac40ecdd51e83c0d67bf4f

      SHA1

      aa076ea83d578e4057ff9fd1e7923a497c133e8a

      SHA256

      56afc62c43b35ede478c5047be22cd8910022baa1d2d18108088009692e6fbd2

      SHA512

      75d44c6f643ba1711d823de2314734b2618df5408c4f2bc153796489452e73b15f9bff531fe23b0c34fc5259e6846bc399e17b50d2ce3e3f0d90bfc412eec5d9

      Download Submit

    • memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

      Filesize

      8KB

      Download