Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ceaf58ec3f...e7.exe

windows7-x64

8

ceaf58ec3f...e7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    113s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe

  • Size

    354KB

  • MD5

    1f04108924a073198369170e9ccec248

  • SHA1

    bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c

  • SHA256

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7

  • SHA512

    a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851

  • SSDEEP

    3072:7ToHR8L1KwK9f7UgV4qJMEG5qzxb251AEwRnEsScv3qug0z:7TEqL1u9TUgV5Rpzxb2nsnXh

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe
    "C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe
      C:\Users\Admin\AppData\Local\Temp\ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Roaming\Zihqhp.exe
        "C:\Users\Admin\AppData\Roaming\Zihqhp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Users\Admin\AppData\Roaming\Zihqhp.exe
          C:\Users\Admin\AppData\Roaming\Zihqhp.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1872
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1872 CREDAT:275457 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7ABX0TD6.txt
    Filesize

    608B

    MD5

    117f4b58323f51e7acd483c6c92be08f

    SHA1

    aeb28de24f885768cd05fbe93d6476ffae2be8ff

    SHA256

    b41e1c24efee9eba829fb88d07de055e01c452e0d2ce2934d24e4423b833de8e

    SHA512

    aa30a2ffb341d1cf821fde399eb392ae9c5db81634e8587b27d3adc98a3ee29dbdfc236ba9c200cedd2a0bcc7262e52cad9d3711a0abc5b80edbb7207ff7342a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Zihqhp.exe
    Filesize

    354KB

    MD5

    1f04108924a073198369170e9ccec248

    SHA1

    bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c

    SHA256

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7

    SHA512

    a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Zihqhp.exe
    Filesize

    354KB

    MD5

    1f04108924a073198369170e9ccec248

    SHA1

    bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c

    SHA256

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7

    SHA512

    a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Zihqhp.exe
    Filesize

    354KB

    MD5

    1f04108924a073198369170e9ccec248

    SHA1

    bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c

    SHA256

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7

    SHA512

    a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851

    Download Submit

  • \Users\Admin\AppData\Roaming\Zihqhp.exe
    Filesize

    354KB

    MD5

    1f04108924a073198369170e9ccec248

    SHA1

    bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c

    SHA256

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7

    SHA512

    a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851

    Download Submit

  • \Users\Admin\AppData\Roaming\Zihqhp.exe
    Filesize

    354KB

    MD5

    1f04108924a073198369170e9ccec248

    SHA1

    bb3e5f5f565c7ae0f588ea3e4c40b0ffcf91510c

    SHA256

    ceaf58ec3fe3e00c5de53880b87775843ac5a89d88fa2b6121b500cd97b9e2e7

    SHA512

    a08f36fbfd6ddb8817417c6079fe3e1fdad0272624363b4a3a5f956c595b4398f9f41d802fbd92acb16412418bb732521c1d754f1a608d9ea819798b16e7e851

    Download Submit

  • memory/576-76-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/576-75-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1080-57-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/1168-66-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/1168-72-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/1372-64-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1372-60-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1372-59-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1372-58-0x0000000076B51000-0x0000000076B53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1372-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download