Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

893f16d887...7a.exe

windows7-x64

8

893f16d887...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 10:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe

  • Size

    22.5MB

  • MD5

    c125715cc082fe693f5efa39912837bb

  • SHA1

    873369200aa459b19dfe0e1f825db7fcd4ec99f6

  • SHA256

    893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a

  • SHA512

    7978d8d18081fef9745919701e8070d5c27289498c9ea4efe69fc2d1bb1dd2283a201b81dee2cb4331aa9e67a0be082296664d015643422ee6af90627fafb8e3

  • SSDEEP

    49152:Ycy52F1BTTWAXv7XnOMj5e1K7x6494Vlc2GXvJTijowTMfbGK:YcTbnw1K7x6i4Vlc2shU2bd

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
    "C:\Users\Admin\AppData\Local\Temp\893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe
      C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:100
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2120

    Network

    • flag-unknown
      DNS
      151.122.125.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      151.122.125.40.in-addr.arpa
      IN PTR
      Response
    • flag-unknown
      DNS
      7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
      Remote address:
      8.8.8.8:53
      Request
      7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
      IN PTR
      Response
    • 104.18.11.207:443
      tls
      138 B
       183 B
       3
      3
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 20.190.160.17:443
      260 B
       5
    • 20.190.160.17:443
      260 B
       5
    • 20.190.160.17:443
      260 B
       5
    • 20.190.160.17:443
      260 B
       5
    • 52.182.143.208:443
      322 B
       7
    • 93.184.221.240:80
      260 B
       5
    • 104.80.224.44:443
      tls
      92 B
       111 B
       2
      2
    • 104.80.224.44:443
      tls
      92 B
       111 B
       2
      2
    • 104.109.143.75:80
      46 B
       40 B
       1
      1
    • 93.184.221.240:80
      260 B
       5
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 40.126.32.134:443
      260 B
       5
    • 40.126.32.134:443
      260 B
       5
    • 8.8.8.8:53
      151.122.125.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      151.122.125.40.in-addr.arpa

    • 8.8.8.8:53
      7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
      dns
      118 B
       204 B
       1
      1

      DNS Request

      7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe
      Filesize

      718KB

      MD5

      d0aa4e89e9c93b31af211348059139ba

      SHA1

      f04d2ecb6eaff92c751d6acae38735370c2f7b3c

      SHA256

      016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

      SHA512

      39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\g86C37\AdeptTck_setup.exe
      Filesize

      718KB

      MD5

      d0aa4e89e9c93b31af211348059139ba

      SHA1

      f04d2ecb6eaff92c751d6acae38735370c2f7b3c

      SHA256

      016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

      SHA512

      39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

      Download Submit

    • memory/100-135-0x0000000000400000-0x000000000064D000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/100-137-0x0000000000400000-0x000000000064D000-memory.dmp

      Filesize

      2.3MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.