Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

393c6465eb...e2.exe

windows7-x64

8

393c6465eb...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 23:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe

  • Size

    448KB

  • MD5

    43ba3d2e1957f7115ecfe75547119f28

  • SHA1

    cfe31320142a3a0fcc000511ca0a9b79376fa1f9

  • SHA256

    393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2

  • SHA512

    fc44bf6509998775c2caa164422d7977156015117c6ab7022b1d40e27e7606e395d10c431f5d9fdc2c31905fa9e487c5645c76d646b59b6e7a018eb9503fd5af

  • SSDEEP

    6144:uZgzwDoKxS+xxKP5sTyP3x/YPvIfSSf64My+rFkzFucT+IfBPnjYwBLM8Ljr3Ane:tLkWP3x/gYSsoZkzFu6tp0jcjr3

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe
    "C:\Users\Admin\AppData\Local\Temp\393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 668
      2⤵
      • Program crash
      PID:4788
    • C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe
      "C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe" "C:\Users\Admin\AppData\Local\Temp\393c6465eb89e45946368c282c09b4f5b9ec05da804769f301e850c312f43be2.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 668
        3⤵
        • Program crash
        PID:1304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2520 -ip 2520
    1⤵
      PID:2196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4672 -ip 4672
      1⤵
        PID:1348

      Network

      • flag-unknown
        DNS
        164.2.77.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        164.2.77.40.in-addr.arpa
        IN PTR
        Response
      • flag-unknown
        DNS
        7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
        Remote address:
        8.8.8.8:53
        Request
        7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
        IN PTR
        Response
      • 93.184.221.240:80
        52 B
         1
      • 40.79.197.34:443
        322 B
         7
      • 104.80.225.205:443
        322 B
         7
      • 86.55.210.118:80
        eP01805LcAbJ01805.exe
        260 B
         5
      • 93.184.221.240:80
        322 B
         7
      • 93.184.221.240:80
        260 B
         5
      • 8.8.8.8:53
        164.2.77.40.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        164.2.77.40.in-addr.arpa

      • 8.8.8.8:53
        7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
        dns
        118 B
         204 B
         1
        1

        DNS Request

        7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe
        Filesize

        448KB

        MD5

        2598cb8d99974e86455405f5d62a77de

        SHA1

        cf33cb2468eaa067bf8f7d67f0abbc51a80c0a43

        SHA256

        521af44ca9f08e57378e5be1df5a4006b82648fb36c22e7e13f1a853233006c6

        SHA512

        8e165951cbd4f32ed2063d61073c9c6aac53fc7e0a577fdcc6a3546fd577c1086bd6d93efd358577cc5b561d92d68be65a161915e895ee5850131e7bc90b9dcf

        Download Submit

      • C:\ProgramData\eP01805LcAbJ01805\eP01805LcAbJ01805.exe
        Filesize

        448KB

        MD5

        2598cb8d99974e86455405f5d62a77de

        SHA1

        cf33cb2468eaa067bf8f7d67f0abbc51a80c0a43

        SHA256

        521af44ca9f08e57378e5be1df5a4006b82648fb36c22e7e13f1a853233006c6

        SHA512

        8e165951cbd4f32ed2063d61073c9c6aac53fc7e0a577fdcc6a3546fd577c1086bd6d93efd358577cc5b561d92d68be65a161915e895ee5850131e7bc90b9dcf

        Download Submit

      • memory/2520-132-0x0000000000400000-0x00000000004F2000-memory.dmp

        Filesize

        968KB

        Download

      • memory/2520-136-0x0000000000400000-0x00000000004F2000-memory.dmp

        Filesize

        968KB

        Download

      • memory/4672-137-0x0000000000400000-0x00000000004F2000-memory.dmp

        Filesize

        968KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.