Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

c36b1547ba...2c.exe

windows7-x64

10

c36b1547ba...2c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe

  • Size

    154KB

  • MD5

    582b5d008b33aec694043c3e5c47f421

  • SHA1

    166c22d5f5dde4b5021b5001927fd03bf73cc63e

  • SHA256

    c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c

  • SHA512

    ddddd2bdb95ec4c9da09c52423b7038b27670815f7ec989d20fa462d10c9631df18bd7250a5ebdcd85b0cda4d2698b641ae29bc0d2da58cd7c65b9b364c46971

  • SSDEEP

    3072:D0uILepp/gZx2DMVI2X5db4T0pMEqEWx7LAqRfwqtqz34Epfbz1L2S1:uep2Z2+5dsaMEqEWx78IfwI0bzRz

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Unexpected DNS network traffic destination 18 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Modifies security service
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:464
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe
      "C:\Users\Admin\AppData\Local\Temp\c36b1547ba41e9fa854455d809d394c5b46a3512324d0733c083cf2843f9ea2c.exe"
      2⤵
      • Registers COM server for autorun
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:1276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-18\$f6ae883d87b28e9233b2e7745dda3830\@
    Filesize

    2KB

    MD5

    a02e18d5a85fa8d7b0402f4e46d230df

    SHA1

    923f5df24f66ed1f04069e13cba0deec03f6c2be

    SHA256

    54ebaa7e809d5921b7a2e6478b4a58e39aeb13db17373af1d6594968c9569cf4

    SHA512

    1f5a4c6a21957c91b0a0f68547ac31892273bad789255712bd1c5ece7b10ed57aca60fe7e5d9cf209127e7562d7494fe6242c2ed575dd1840733b35d0c501de1

    Download Submit

  • C:\$Recycle.Bin\S-1-5-18\$f6ae883d87b28e9233b2e7745dda3830\n
    Filesize

    25KB

    MD5

    031f24073b43717e018ba0c5f62cb0c2

    SHA1

    504008e17d774bdfd3996ce8cf521277ca620ca9

    SHA256

    9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

    SHA512

    c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-3385717845-2518323428-350143044-1000\$f6ae883d87b28e9233b2e7745dda3830\n
    Filesize

    25KB

    MD5

    031f24073b43717e018ba0c5f62cb0c2

    SHA1

    504008e17d774bdfd3996ce8cf521277ca620ca9

    SHA256

    9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

    SHA512

    c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

    Download Submit

  • \$Recycle.Bin\S-1-5-18\$f6ae883d87b28e9233b2e7745dda3830\n
    Filesize

    25KB

    MD5

    031f24073b43717e018ba0c5f62cb0c2

    SHA1

    504008e17d774bdfd3996ce8cf521277ca620ca9

    SHA256

    9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

    SHA512

    c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

    Download Submit

  • \$Recycle.Bin\S-1-5-21-3385717845-2518323428-350143044-1000\$f6ae883d87b28e9233b2e7745dda3830\n
    Filesize

    25KB

    MD5

    031f24073b43717e018ba0c5f62cb0c2

    SHA1

    504008e17d774bdfd3996ce8cf521277ca620ca9

    SHA256

    9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

    SHA512

    c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

    Download Submit

  • memory/1788-56-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1788-57-0x000000000062D000-0x000000000064C000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1788-61-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1788-62-0x000000000062D000-0x000000000064C000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1788-64-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1788-65-0x000000000062D000-0x000000000064C000-memory.dmp

    Filesize

    124KB

    Download