Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

990101a369...48.exe

windows7-x64

10

990101a369...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe

  • Size

    304KB

  • MD5

    09d48a33e0e06906e5d2491e9ade278f

  • SHA1

    dacc469daf0fb9f12c9f2f1e37a82df76be45fb8

  • SHA256

    990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48

  • SHA512

    b13d85779d805f77c4f71844db9525b65ed865b91b0bb11ba94ea52cb2f76578eda2df6245af8ece8a9c6c559cca096fb7a581b54f757ceabb087ed48549c01d

  • SSDEEP

    6144:ePFLTSg57PY2EaRp7zyCftZejPNeqeeEvLwdSH5nABQh:ePFL+a7PdzRp7zyCTesVjCB

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe
    "C:\Users\Admin\AppData\Local\Temp\990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\83aorzpk.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC11AE.tmp"
        3⤵
          PID:544
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1152
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:304
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskhosts.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskhosts.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskhosts.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskhosts.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1016
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\83aorzpk.dll
      Filesize

      9KB

      MD5

      9e3bd976b63f3a7803c648a53c133c13

      SHA1

      0dfdc75b97b9e4f34736bdb44d683d44a297d52c

      SHA256

      10510ec45d5da02929f951fd0c55424800f1e3a9e11ec1f60d84f28d359e3314

      SHA512

      80f524c5222f389b07b7dfb95d693a170f97d6d10250c64dbbaaa3cdc9343f765de0357d769308a5023cb75059925262046727c78d8297afea4fbd3c67922134

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES11AF.tmp
      Filesize

      1KB

      MD5

      e794d378aa6c9811bc925992b5959b83

      SHA1

      5a08ffa11d167e511438d4ac63121d1695c77069

      SHA256

      13457aad9ca4dac339c7ce608ee84bae0d896a34c70d6f198a7289b9a6eedf3e

      SHA512

      382123a360d239786a736acf2f6f963372badbae93ff203ffcff03d0993a1a86edae00ae3afc65be5dd31f660ce3fb1fd09170edd29446d2621e9d9525718b4e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\83aorzpk.0.cs
      Filesize

      7KB

      MD5

      c79c02b8be614ba0ad11b9a2deac9067

      SHA1

      5338181abf8d8436df240ec8bfe8699ed40eac83

      SHA256

      aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78

      SHA512

      4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\83aorzpk.cmdline
      Filesize

      187B

      MD5

      cb1a9edd96ed89033e154392bd8eedb1

      SHA1

      2b6d1b1f4fb8ebaf1d2a5ae4f9a375dfa9fe0c47

      SHA256

      b17b3c38e3b78c35ecaeb9ea3e5bfbae41a45fa375d34c6beb679dbed9cf618e

      SHA512

      65679e8dd7113b53aa64180c334592c148d2900f39749b7dfc7b3adfd03ac3d1e1a5ec7ad159eb0b40cb16bd31b9569c4726ea1245c5037abf4ff1007aab3f10

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC11AE.tmp
      Filesize

      652B

      MD5

      53bc42b3a07af9068dcc1a6a517612aa

      SHA1

      e89666479cb9512ddc903cd6255b48c3c5211096

      SHA256

      73dbdf31f46bf3342a4a00e44f37d39ce7addbace7b32f54dda7540a53e80bf9

      SHA512

      fb8693e109aaaafd0e14fc2474522c72ab3563d32e34e655ae6717fea21d8bc2b750ac9a6ce014e7f7dd8242b98fef37c6c3f387de9869f7b9fb61fcb70f5e62

      Download Submit

    • memory/676-62-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-66-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-65-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-86-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-69-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-84-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-71-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/676-63-0x0000000000400000-0x000000000047B000-memory.dmp

      Filesize

      492KB

      Download

    • memory/2024-70-0x0000000074E10000-0x00000000753BB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2024-85-0x0000000074E10000-0x00000000753BB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

      Filesize

      8KB

      Download