Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

38abb6d28c...4c.exe

windows7-x64

10

38abb6d28c...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe

  • Size

    92KB

  • MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

  • SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

  • SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

  • SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

  • SSDEEP

    1536:cgRswP+BgWekSIyUpbjFyjxEyxFJ7wRqqt:SwGKWeXIxFIEyt7Ydt

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 24 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 56 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
    "C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe
      "C:\Users\Admin\AppData\Local\Temp\38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\sc.exe
        sc.exe config SharedAccess start= disabled
        3⤵
        • Launches sc.exe
        PID:1712
      • C:\Windows\SysWOW64\netsh.exe
        netsh.exe firewall set opmode mode=disable profile=all
        3⤵
        • Modifies Windows Firewall
        PID:1780
      • C:\ProgramData\MalwareBytes0\vmwareuser.exe
        C:\ProgramData\MalwareBytes0\vmwareuser.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\ProgramData\MalwareBytes0\vmwareuser.exe
          C:\ProgramData\MalwareBytes0\vmwareuser.exe
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • Sets file execution options in registry
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1084
          • C:\Windows\SysWOW64\netsh.exe
            netsh.exe firewall set opmode mode=disable profile=all
            5⤵
            • Modifies Windows Firewall
            PID:1900
          • C:\Windows\SysWOW64\sc.exe
            sc.exe config SharedAccess start= disabled
            5⤵
            • Launches sc.exe
            PID:1448
      • C:\ProgramData\MalwareBytes0\vmwareuser.exe
        C:\ProgramData\MalwareBytes0\vmwareuser.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\ProgramData\MalwareBytes0\vmwareuser.exe
          C:\ProgramData\MalwareBytes0\vmwareuser.exe
          4⤵
          • Modifies firewall policy service
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Sets file execution options in registry
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Windows\SysWOW64\sc.exe
            sc.exe config SharedAccess start= disabled
            5⤵
            • Launches sc.exe
            PID:848
          • C:\Windows\SysWOW64\netsh.exe
            netsh.exe firewall set opmode mode=disable profile=all
            5⤵
            • Modifies Windows Firewall
            PID:1688
      • C:\ProgramData\MalwareBytes0\vmwareuser.exe
        C:\ProgramData\MalwareBytes0\vmwareuser.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\ProgramData\MalwareBytes0\vmwareuser.exe
          C:\ProgramData\MalwareBytes0\vmwareuser.exe
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • Sets file execution options in registry
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1216
          • C:\Windows\SysWOW64\sc.exe
            sc.exe config SharedAccess start= disabled
            5⤵
            • Launches sc.exe
            PID:1208
          • C:\Windows\SysWOW64\netsh.exe
            netsh.exe firewall set opmode mode=disable profile=all
            5⤵
            • Modifies Windows Firewall
            PID:268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • C:\ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • \ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • \ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • \ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • \ProgramData\MalwareBytes0\vmwareuser.exe
    Filesize

    92KB

    MD5

    f2e8f8fe0b4d4d734d5304fd6ef16d47

    SHA1

    c999b38f3c226716e161f8a6b2346d386a6c218b

    SHA256

    38abb6d28cc0ead48ecfd47f0598a3957ec4f4d068b268eaedb8accb97410e4c

    SHA512

    a31f7b4c318bd76a40be273463571c8eeadbd0293393226a8a16cc84ca5ec78e906d5bcc645e62788f8f3c1e1ee7de592ab23f8a0c2f945274839e493e3ed0e6

    Download Submit

  • memory/1084-101-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1084-105-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1084-102-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1216-116-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1220-100-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1788-59-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1788-75-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1788-60-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1788-61-0x0000000075B11000-0x0000000075B13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1788-56-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download