Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

6fbc1dc92a...8a.exe

windows7-x64

8

6fbc1dc92a...8a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    59s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 18:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe

  • Size

    289KB

  • MD5

    795c22ec14d24150443be37fce9fae73

  • SHA1

    cafdddc3fde7ef1bdcbdd6ca067a57ed2a4f8a9b

  • SHA256

    6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a

  • SHA512

    76fee17f95cccad4e8cd9b559bc16f009492d45ae37ba8ed7d715df74dae0f518255effd02e8a907cdc737ae6a76a7f2ff9f4e906b8eebc635afcc0cd3884d89

  • SSDEEP

    3072:iCA3hovBn7VqEizw6RidCLbJWMrwoO7rnN3lnpkAjL6LBVlvMLL3QveQR1:CxovBn7Vq9RidcZQHN1p3yLxMLLeJ

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
    "C:\Users\Admin\AppData\Local\Temp\6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\dplaysvr.exe
      "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      PID:1728
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
    1⤵
      PID:1748

    Network

      No results found
    • 192.166.218.218:80
      6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
      152 B
       3
    • 192.166.218.218:80
      6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
      152 B
       3
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\30E1.tmp
      Filesize

      120KB

      MD5

      c6bd4c97401be0242c9ddcd5d5da1a91

      SHA1

      fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

      SHA256

      09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

      SHA512

      bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\30E2.tmp
      Filesize

      45KB

      MD5

      505a7c309518b834d684c40c2b5a674b

      SHA1

      1756d0ad98525c4289dcbd6284c37b8147316fad

      SHA256

      1819b9fccf0cfe6de0110186d63e25e9209c47478f4cb04bf7ccd63d39145332

      SHA512

      d5c17bc2e1add8d309e26b621d1dc01633fae0c16c2536d25d3a20f15198743386bd929f40896fa8fef3b149b0f1d3a9bfe30eefc853deb6172415432143fb93

      Download Submit

    • C:\Users\Admin\AppData\Local\dplaysvr.exe
      Filesize

      120KB

      MD5

      c6bd4c97401be0242c9ddcd5d5da1a91

      SHA1

      fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

      SHA256

      09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

      SHA512

      bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

      Download Submit

    • C:\Users\Admin\AppData\Local\dplaysvr.exe
      Filesize

      120KB

      MD5

      c6bd4c97401be0242c9ddcd5d5da1a91

      SHA1

      fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

      SHA256

      09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

      SHA512

      bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

      Download Submit

    • C:\Users\Admin\AppData\Local\dplayx.dll
      Filesize

      45KB

      MD5

      505a7c309518b834d684c40c2b5a674b

      SHA1

      1756d0ad98525c4289dcbd6284c37b8147316fad

      SHA256

      1819b9fccf0cfe6de0110186d63e25e9209c47478f4cb04bf7ccd63d39145332

      SHA512

      d5c17bc2e1add8d309e26b621d1dc01633fae0c16c2536d25d3a20f15198743386bd929f40896fa8fef3b149b0f1d3a9bfe30eefc853deb6172415432143fb93

      Download Submit

    • \Users\Admin\AppData\Local\dplaysvr.exe
      Filesize

      120KB

      MD5

      c6bd4c97401be0242c9ddcd5d5da1a91

      SHA1

      fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

      SHA256

      09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

      SHA512

      bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

      Download Submit

    • \Users\Admin\AppData\Local\dplayx.dll
      Filesize

      45KB

      MD5

      505a7c309518b834d684c40c2b5a674b

      SHA1

      1756d0ad98525c4289dcbd6284c37b8147316fad

      SHA256

      1819b9fccf0cfe6de0110186d63e25e9209c47478f4cb04bf7ccd63d39145332

      SHA512

      d5c17bc2e1add8d309e26b621d1dc01633fae0c16c2536d25d3a20f15198743386bd929f40896fa8fef3b149b0f1d3a9bfe30eefc853deb6172415432143fb93

      Download Submit

    • memory/856-61-0x0000000000330000-0x000000000037B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/856-70-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/856-77-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/856-63-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/856-60-0x0000000000270000-0x00000000002A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-68-0x00000000005D0000-0x00000000005F0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1728-69-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1728-71-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1728-67-0x00000000005B0000-0x00000000005C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1728-73-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1728-75-0x00000000006B0000-0x00000000006C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1728-74-0x00000000006A0000-0x00000000006A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1728-76-0x00000000006E0000-0x00000000006E8000-memory.dmp

      Filesize

      32KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.