Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

73c230f147...bf.exe

windows7-x64

8

73c230f147...bf.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe

  • Size

    255KB

  • MD5

    82a6a151fcb82c69cd78890ea7e7d547

  • SHA1

    99d8243705172092dac4584c67b3b81753b7bde6

  • SHA256

    73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf

  • SHA512

    995b170bc39c763215257b8b41e10024a11dc7ff493b76eb1986e6a90a056eef5721c7c3a5a0ee0bc164de627219e4d2387086185ed4c95a4733ea77e8d52605

  • SSDEEP

    6144:7UnITMpSph0lMqqgWoDhujqcQQbxJhVGvkVbOcH4CIMf:7CQMY07qgWo6VVGvkVLAK

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe
    "C:\Users\Admin\AppData\Local\Temp\73c230f1470311dd493b8be2c1196632d701c1a8c3ce6e759b902bb6ca7684bf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Modifies registry class
        PID:2004
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1896
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5b0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    c5ab6a89bbd88cf4e2ecaddcde4c7ae1

    SHA1

    e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

    SHA256

    92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

    SHA512

    00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SogouPinyin.local
    Filesize

    89B

    MD5

    82647f94f00552bc201584d835036bca

    SHA1

    e3b5719dc39a0d524cd9f63d22e1de0a4985f987

    SHA256

    4d010eb53c6d31934b2328def4b428cd71cd57f21f8099b5790b475557048ca4

    SHA512

    81e47408abd5154b287e8796ae25a5196a25d2cc645cb0a3dc31c5d99a9f59786c5829c138e71167f9e51e5db4a05be02ca6451d98343e5bee24341e74359cfa

    Download Submit

  • \Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    c5ab6a89bbd88cf4e2ecaddcde4c7ae1

    SHA1

    e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

    SHA256

    92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

    SHA512

    00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

    Download Submit

  • \Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    c5ab6a89bbd88cf4e2ecaddcde4c7ae1

    SHA1

    e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

    SHA256

    92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

    SHA512

    00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

    Download Submit

  • \Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    c5ab6a89bbd88cf4e2ecaddcde4c7ae1

    SHA1

    e4f980ddfb41c48aed1a91b0ae0a7d28ef38a5be

    SHA256

    92c5fc9cb87d67023f26746f1e1e032f4a54c9af17349c5ae2cc8a8c0a99cfde

    SHA512

    00e1fad76495345332b5f0d8c0a501e8a4dbbeb8dd5e3635a1e9553c350d52109a46bbb8b2190fff28e9df10c2c19ad59987b7e8dd8e9c3cc3f8b58af980b00d

    Download Submit

  • memory/1236-54-0x0000000076941000-0x0000000076943000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1896-62-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1896-65-0x000007FEFC310000-0x000007FEFC37D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1896-66-0x000007FEFC310000-0x000007FEFC37D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1896-67-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2004-60-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

    Filesize

    8KB

    Download