Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7729834d91...3a.exe

windows7-x64

8

7729834d91...3a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    194s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe

  • Size

    330KB

  • MD5

    761b9f2aaa41445d70d4fb7faba5f3b0

  • SHA1

    0fcbaa8fd4b46df396b41b2273f53e75df46d513

  • SHA256

    7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a

  • SHA512

    cdc6e44e2164d0d0d0adc0ea894a66d50e560928ef90452e49298f0248e301ec65aa120d5d3f60599d8f11c22504f65c4b45a083aab8d76c2369bf4c3262d075

  • SSDEEP

    6144:+xzllL7TuevSlo3TdKQtK6f1g+GcG8DCqabJaqvAz:+5llLdvSl+tK60ctCq4Yz

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3408
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3344
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:3252
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
          1⤵
            PID:1388
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            1⤵
              PID:4908
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
              1⤵
                PID:456
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:4668
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3692
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3504
                    • C:\Windows\Explorer.EXE
                      C:\Windows\Explorer.EXE
                      1⤵
                        PID:2584
                        • C:\Users\Admin\AppData\Local\Temp\7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe
                          "C:\Users\Admin\AppData\Local\Temp\7729834d91e0d9d8f6d8b6f002a7471987a4b63ec3a2c1956b6e6794365e1b3a.exe"
                          2⤵
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          PID:2864
                          • C:\Users\Admin\AppData\Roaming\Xeliqy\ubfu.exe
                            "C:\Users\Admin\AppData\Roaming\Xeliqy\ubfu.exe"
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:5112
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc1fef58f.bat"
                            3⤵
                              PID:4480
                        • C:\Windows\system32\taskhostw.exe
                          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                          1⤵
                            PID:2868
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                            1⤵
                              PID:2788
                            • C:\Windows\system32\sihost.exe
                              sihost.exe
                              1⤵
                                PID:2760
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:4192
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:4248
                                  • C:\Windows\system32\BackgroundTransferHost.exe
                                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                    1⤵
                                      PID:648
                                    • C:\Windows\system32\backgroundTaskHost.exe
                                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                      1⤵
                                        PID:3524
                                      • C:\Windows\system32\BackgroundTransferHost.exe
                                        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                        1⤵
                                          PID:5100
                                        • C:\Windows\system32\BackgroundTransferHost.exe
                                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                          1⤵
                                            PID:3128
                                          • C:\Windows\system32\backgroundTaskHost.exe
                                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                            1⤵
                                              PID:1368

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\tmpc1fef58f.bat
                                              Filesize

                                              307B

                                              MD5

                                              29f883f865d1bd8b4f2a9b8d4b975441

                                              SHA1

                                              db508a0523ba71e8a02ec424fa56fabf0cb017fe

                                              SHA256

                                              3890c051c5a5cf83fe77606f9596b1a3121fe90c8512d45d3542e798aafea6ce

                                              SHA512

                                              48f6dd141b7c8d4e3f1303e9ecd36d6dc5439ed2c26983d9858ea24a436b0cbd47e3f62a6246b1372ae3124f7b9bc6081e6df76106f3e20b9e714c5ff2558e83

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Xeliqy\ubfu.exe
                                              Filesize

                                              330KB

                                              MD5

                                              a8d4849b58256b6588cc7e494f11c7a3

                                              SHA1

                                              ab679c3bd5f1774b70fa17c6997c40e284e7d297

                                              SHA256

                                              fedc77095f2cac395661c6399a22a1bd7a9daed0b59ea478f32c384131224758

                                              SHA512

                                              5abe9416d04fa854f4b76f79fa99ab533e4244e85207cc664c7d42c00c452225ddb0233d1c33c9bd9948926de4f4c67d477f92b64ffcf4ceb8fefac60cfb79d7

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Xeliqy\ubfu.exe
                                              Filesize

                                              330KB

                                              MD5

                                              a8d4849b58256b6588cc7e494f11c7a3

                                              SHA1

                                              ab679c3bd5f1774b70fa17c6997c40e284e7d297

                                              SHA256

                                              fedc77095f2cac395661c6399a22a1bd7a9daed0b59ea478f32c384131224758

                                              SHA512

                                              5abe9416d04fa854f4b76f79fa99ab533e4244e85207cc664c7d42c00c452225ddb0233d1c33c9bd9948926de4f4c67d477f92b64ffcf4ceb8fefac60cfb79d7

                                              Download Submit

                                            • memory/2864-135-0x0000000000400000-0x0000000000447000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/2864-148-0x00000000021D0000-0x0000000002217000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/2864-134-0x0000000000400000-0x0000000000447000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/2864-133-0x0000000000400000-0x0000000000457000-memory.dmp

                                              Filesize

                                              348KB

                                              Download

                                            • memory/2864-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2864-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2864-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2864-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2864-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2864-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2864-147-0x0000000000400000-0x0000000000447000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/2864-132-0x00000000020E0000-0x0000000002127000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/4480-146-0x00000000003B0000-0x00000000003F7000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/4480-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/4480-157-0x00000000003B0000-0x00000000003F7000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/5112-158-0x0000000001F90000-0x0000000001FD7000-memory.dmp

                                              Filesize

                                              284KB

                                              Download

                                            • memory/5112-159-0x0000000000400000-0x0000000000457000-memory.dmp

                                              Filesize

                                              348KB

                                              Download

                                            • memory/5112-160-0x0000000000400000-0x0000000000457000-memory.dmp

                                              Filesize

                                              348KB

                                              Download