Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

e0d594c1a6...e6.exe

windows7-x64

7

e0d594c1a6...e6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0d594c1a6642747995745aa4a1cd577417172632befdbe894533430fb045ae6.exe

  • Size

    176KB

  • MD5

    2ecf4a0cb843ef19bbf52adf1e8cff6c

  • SHA1

    7e4b734860db8516b8c3c246a371ee8aab420cea

  • SHA256

    e0d594c1a6642747995745aa4a1cd577417172632befdbe894533430fb045ae6

  • SHA512

    9ec62b125cc3b96f6f154734d97193077a38a6921687857c4d9b571b608e1610d6a5e0f08de4a50540955ee70be3d5928ec8f1df7424bb27206eb258504c4cb2

  • SSDEEP

    3072:y8SBjlnc5OevGSXhuULpKwg2H+a63U57dbiLCNN1dR3:y/B5c5MSXhuU9KwG3UWLCNndZ

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Modifies registry class 60 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0d594c1a6642747995745aa4a1cd577417172632befdbe894533430fb045ae6.exe
    "C:\Users\Admin\AppData\Local\Temp\e0d594c1a6642747995745aa4a1cd577417172632befdbe894533430fb045ae6.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\4E2.bat
      2⤵
        PID:904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4E2.bat
      Filesize

      294B

      MD5

      a0baa2efdd8779569acd363bba8081ac

      SHA1

      5eead3814ca26f65f62c15b89f8117e6dbd2eedf

      SHA256

      6002fb63acf6a46a8affdb3ee2e0a07402ee5a0b3b1a3d51996ba761d3dbd707

      SHA512

      ab68e2026be9c49bff9f386641e78f6433354b29be982b7f0f5b143aa6fd47c85dc5bc500201b8483b47976af39a9f7a8afd9f0a8361e24710f115fac20573b9

      Download Submit

    • \Program Files (x86)\altcmd\altcmd32.dll
      Filesize

      160KB

      MD5

      968158bf7662cea9e0f5c89b97a81a12

      SHA1

      5eb4903d8cf6448b97c5f5f25e9e89351b53919f

      SHA256

      c3131cdc0d4f9adf633b2e58b05730924f284fc8e51a7bf90151a7a075dc750f

      SHA512

      3962378f0f76b1f4a1846bd957a1eaa10a3222bd8d26e44705845c5f395d2284e7af9045bf379ad23019e4a24a5313a31e5b1f139f80ff20d767dd9febe45744

      Download Submit

    • memory/736-54-0x0000000076201000-0x0000000076203000-memory.dmp

      Filesize

      8KB

      Download