Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

2ad0fca635...09.exe

windows7-x64

10

2ad0fca635...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe

  • Size

    292KB

  • MD5

    2bec47844b2158b8971395794301e712

  • SHA1

    85e9fe6a3118fa5bf352fef7ecf8b711a45a3968

  • SHA256

    2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809

  • SHA512

    e0d492b85856f4a7e675fe30fbc223573dd214e12dd7b043ac84f10098477181ae59f04aa44a389159f39c91820268e02dc9d4a79910846d0da92241023c277a

  • SSDEEP

    6144:UwcYntNJbzX8qhqEIJHqvzRb8zCgoniL2L0U1wer6:UwcYLJ///IJydbXqU1Bm

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
    "C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1508
    • \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
      "c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
        3⤵
        • Adds Run key to start application
        PID:928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs
    Filesize

    219B

    MD5

    b559ac384267491c0796d801b39e4979

    SHA1

    6762fd6ee2849c743dfd2e3d6743b3f26bc32b9d

    SHA256

    85f64caab11088c4fa85d0caebc9086178eeef9e322be7034311cf466430302e

    SHA512

    292df546edec7225fca39816d4171924ced925ca00d316d7694ecfb00a2cb4d81315493e2af759121795413a5e0116abcd11b5003e332fec3a5dcf40fc24de7e

    Download Submit

  • memory/1508-55-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1508-73-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2032-59-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-64-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-66-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-68-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2032-61-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-60-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-57-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-56-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-75-0x00000000741F0000-0x000000007479B000-memory.dmp

    Filesize

    5.7MB

    Download