Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

07adf47c0c...bd.exe

windows7-x64

8

07adf47c0c...bd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 06:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe

  • Size

    655KB

  • MD5

    50bce9ba70d6529eb7a26ede8d584950

  • SHA1

    3929bc52d33e6182b6f6e99e83949ea84987d1c0

  • SHA256

    07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd

  • SHA512

    ab25cc25fdb4ae227b16278138842b8616cf61e7fe4c72614afcb48f77bfe61ea547b564e25987d8a7896a9968b14909f60d46095d5446594a21504a862db858

  • SSDEEP

    1536:1BQZjlDtdDkM0ncL79l1wUEkWLj3uWHmdmLoys5IJ+I7KyALeoIk0lYUTPj68:eJtdYEf9REkwjjSQs5IUI7GCoI/lLn

Score
8/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
    "C:\Users\Admin\AppData\Local\Temp\07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe"
    1⤵
    • Adds policy Run key to start application
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\secprocz.exe
      C:\Windows\SysWOW64\secprocz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5052
    • C:\Windows\SysWOW64\cmd.exe
      /c C:\Users\Admin\AppData\Local\Temp\~unins3101.bat "C:\Users\Admin\AppData\Local\Temp\07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe"
      2⤵
        PID:176

    Network

    • flag-unknown
      DNS
      fasternation.net
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      Remote address:
      8.8.8.8:53
      Request
      fasternation.net
      IN A
      Response
    • flag-unknown
      DNS
      fasternation.net
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      Remote address:
      8.8.8.8:53
      Request
      fasternation.net
      IN A
      Response
    • flag-unknown
      DNS
      fasternation.net
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      Remote address:
      8.8.8.8:53
      Request
      fasternation.net
      IN A
      Response
    • flag-unknown
      DNS
      fasternation.net
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      Remote address:
      8.8.8.8:53
      Request
      fasternation.net
      IN A
      Response
    • flag-unknown
      DNS
      www.sanctionedmedia.com
      secprocz.exe
      Remote address:
      8.8.8.8:53
      Request
      www.sanctionedmedia.com
      IN A
      Response
      www.sanctionedmedia.com
      IN A
      204.11.56.37
    • flag-unknown
      DNS
      96.108.152.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      96.108.152.52.in-addr.arpa
      IN PTR
      Response
    • flag-unknown
      DNS
      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
      Remote address:
      8.8.8.8:53
      Request
      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
      IN PTR
      Response
    • 84.53.175.11:80
      46 B
       40 B
       1
      1
    • 52.168.117.169:443
      322 B
       7
    • 104.80.225.205:443
      322 B
       7
    • 178.79.208.1:80
      322 B
       7
    • 178.79.208.1:80
      322 B
       7
    • 178.79.208.1:80
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 20.54.89.15:443
      260 B
       5
    • 204.11.56.37:80
      www.sanctionedmedia.com
      secprocz.exe
      260 B
       5
    • 8.8.8.8:53
      fasternation.net
      dns
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      62 B
       135 B
       1
      1

      DNS Request

      fasternation.net

    • 8.8.8.8:53
      fasternation.net
      dns
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      62 B
       135 B
       1
      1

      DNS Request

      fasternation.net

    • 8.8.8.8:53
      fasternation.net
      dns
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      62 B
       135 B
       1
      1

      DNS Request

      fasternation.net

    • 8.8.8.8:53
      fasternation.net
      dns
      07adf47c0c7a35ecfd5e51555f6b66ae7a4d794f88548c43e09a81cae961a8bd.exe
      62 B
       135 B
       1
      1

      DNS Request

      fasternation.net

    • 8.8.8.8:53
      www.sanctionedmedia.com
      dns
      secprocz.exe
      69 B
       85 B
       1
      1

      DNS Request

      www.sanctionedmedia.com

      DNS Response

      204.11.56.37

    • 8.8.8.8:53
      96.108.152.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      96.108.152.52.in-addr.arpa

    • 8.8.8.8:53
      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
      dns
      118 B
       204 B
       1
      1

      DNS Request

      d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~unins3101.bat
      Filesize

      49B

      MD5

      9e0a2f5ab30517809b95a1ff1dd98c53

      SHA1

      5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

      SHA256

      97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

      SHA512

      e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

      Download Submit

    • C:\Windows\SysWOW64\secprocz.exe
      Filesize

      173KB

      MD5

      57d736c7e8f4fc9c8d57939586d72373

      SHA1

      1fd48b939b0f3d6912fc587c919047347e2bec8e

      SHA256

      bc820e092cca77b13f1536fb744297e0988f91d366d08a0ed8da96e958523db8

      SHA512

      95fd7bac7a43cdc63c7879fd4355cccbe601beeff23b0597c14b2782ae0d6bfcf200a78521b6c032d2a8c7333347267ab33ad21e4c27298fb83871e071738dd4

      Download Submit

    • C:\Windows\SysWOW64\secprocz.exe
      Filesize

      173KB

      MD5

      57d736c7e8f4fc9c8d57939586d72373

      SHA1

      1fd48b939b0f3d6912fc587c919047347e2bec8e

      SHA256

      bc820e092cca77b13f1536fb744297e0988f91d366d08a0ed8da96e958523db8

      SHA512

      95fd7bac7a43cdc63c7879fd4355cccbe601beeff23b0597c14b2782ae0d6bfcf200a78521b6c032d2a8c7333347267ab33ad21e4c27298fb83871e071738dd4

      Download Submit

    • memory/2148-137-0x0000000000650000-0x00000000006F9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2148-139-0x00000000006B2000-0x00000000006F8000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2148-140-0x0000000000651000-0x00000000006B2000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2148-141-0x0000000000030000-0x0000000000040000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2148-142-0x0000000000651000-0x00000000006B2000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2148-132-0x0000000000030000-0x0000000000040000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2148-138-0x0000000000650000-0x00000000006F9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2148-134-0x0000000000650000-0x00000000006F9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2148-133-0x0000000000580000-0x00000000005C7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2148-150-0x0000000000651000-0x00000000006B2000-memory.dmp

      Filesize

      388KB

      Download

    • memory/5052-148-0x0000000073800000-0x0000000073DB1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5052-149-0x0000000073800000-0x0000000073DB1000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.