Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

c911931abc...f9.exe

windows7-x64

10

c911931abc...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe

  • Size

    221KB

  • MD5

    596750f8bc7c1b8d15e2ed18995cb167

  • SHA1

    a3adcd5f65d303a566206696ab4b02150a9ecc97

  • SHA256

    c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9

  • SHA512

    72f3ffde1db036fbdf1cbfabc5d7dd84f284f1607f60b9e8756be4106217a8cf1db003e3dbf86f9a593dea6f36f8c130eccfe662ef43514e64d327dd3ed282fb

  • SSDEEP

    6144:pwHys8jsO3Mor+1MfgdCVtoAmNS3MECTphNDv3:SqsOTrEouCVtoq8ECTphN/

Score
10/10
kronosbankerbotnetpersistence

Malware Config

Signatures

  • Kronos
    bankerbotnetkronos
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe
    "C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe
      "C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsqFCB5.tmp\figurant.dll
    Filesize

    21KB

    MD5

    8c31c49be6cbaeebcbf9704bb2ac9829

    SHA1

    8fb33105b56c1aa8f52ab661b8af14df8f2b3bd3

    SHA256

    966569e692689d1c809168820db467d10d0cd53a70ac25969e2cd5221c99dec5

    SHA512

    a39333d1d801eafe00abc406f6e08942dc6f32ab4a3c2368d3648cae28856786e20ae5f8769a04c40ef561d5c6c7f4eb0e70fd5124136113e595c47532be81bf

    Download Submit

  • memory/2576-140-0x0000000001110000-0x0000000001115000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2576-139-0x0000000000710000-0x0000000000B43000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2576-141-0x0000000003020000-0x0000000003470000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2800-134-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2800-136-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2800-138-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download