Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

55f5bde691...fe.exe

windows7-x64

10

55f5bde691...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

  • Size

    8.9MB

  • MD5

    684c4fc3683b5123a1ef42f92c6ef64c

  • SHA1

    4f804fc149d0f460c530ce4d2e8017c7d9987e48

  • SHA256

    55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe

  • SHA512

    89e1d627bce754ee75fc85b774f074161b449d3a78bbf1c5506eac8d1173a97b23b0635cae9235fc3b09cfcb69eff3d857b19f3630282951c6bf3833931d74f8

  • SSDEEP

    196608:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxQnKnqVtxQu9OryfEQncryfEQuWCLeybAZ:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxy

Score
10/10
adwarepersistencestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 12 IoCs

    Detects file using ACProtect software.

  • Drops file in Drivers directory 4 IoCs
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    "C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
      C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
        C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
        3⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
          C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
          4⤵
          • Enumerates connected drives
          PID:3892
      • C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
        C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
        3⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:4416
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
      2⤵
      • Installs/modifies Browser Helper Object
      PID:2236
    • C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
      C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
    Filesize

    1KB

    MD5

    f823836bc01249fd47b713dddd6f685e

    SHA1

    1d245e9117e5d2f65bed102d799df29566cf170d

    SHA256

    d0707cd293f0882fa64318102e1b45e8851339a53b685bff3c0b5d0c30eb5b25

    SHA512

    8dd3b00a6ff667919b5d6813def76506d5247d8d60471503167bfdba7e61e635d0e5c00fec05219923fcd7157f9e3808f2ed66b91956b466c00fc3f8cac3664d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273
    Filesize

    279B

    MD5

    4067aae3423b2b07ca7caab7c9503277

    SHA1

    f427bbad70c869f7e4844cc60e8b6d19719eb44a

    SHA256

    f4aa7ed4c86465f043dcf128992d7337f24733d21a184a3366cffe31be698ebc

    SHA512

    b17655162161ac10e52efc904742d8b090c26552244057c9754a85b8b1ef9442fe3cd103dddc219cad2483299637b1b3c494106d4b5023d08c8652d8e6cfd049

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
    Filesize

    438B

    MD5

    db402511fc45726897d1d187d541c8b2

    SHA1

    386852e2ab93059131f29084360dd8ddb0bf2109

    SHA256

    ea021e77b29df67238355ed47b897c42592c623e5d9e3c5981df3d75241a4571

    SHA512

    1a04fd9d74529c567fc772c727ce276a72d0276e61fb168f3c47dec24181cf99f17043fbdaf3d6ba81f34ec9416b79e4833bc7a22676d3b0f41d2edf7f5a1871

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273
    Filesize

    426B

    MD5

    e66d5109e736cba2069b1578613ddac5

    SHA1

    608809990b62a0a49d0db294c78b5c3a0688cd22

    SHA256

    27aab8d13470eb0877d2826937b7eabc914743c0a0569fce7ba20d6e882522fd

    SHA512

    87100be75501301b68bed903aafb624379f97c9e063d5d8055e20021bfa7bc7a9491e520bd1f28331b5a4e0f19086a5029a7471e6de86806dfaf09eee129a5fe

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\cftmon.exe
    Filesize

    8.9MB

    MD5

    a6ea15cdb8e01348c233fc929b061464

    SHA1

    92d74aebc10e9494e91d22c772ba5f359614102c

    SHA256

    fd6b76276c634e64893642cbb866da83b062f979bbb297c3408ec3a8d9dea30d

    SHA512

    17371718b4c5cb660346b2966fd0e494edbf8241d8bc5e61dc7582296d787ef2a8c5051528d25fce2ace27c0d0b6f040e847386ca60253e4fd163118198fd46b

    Download Submit

  • C:\Users\Admin\ftpdll.dll
    Filesize

    4KB

    MD5

    96717faa9411f7458b6074571a4dc5cb

    SHA1

    22fb28533ccc2a37d06bd9ba914aef86f64def36

    SHA256

    d54f7b2b311c9186623949504695d90279f23dec9222c91f28e8169d9fc92a69

    SHA512

    e37208bf5f2d5ec977f6da4529f264595262bf6c3072c1578803bec5c68c3d9af4cf927d4a651c53ab6535b738bb3a3f79838c6f48da49ef46f84dc8cf45818b

    Download Submit

  • C:\Users\Admin\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • C:\Windows\SysWOW64\drivers\spools.exe
    Filesize

    8.9MB

    MD5

    38aa31166b6c835ef01e14803613da3d

    SHA1

    a27899b44f84692d7d492b4408e9f4f4e317e3e8

    SHA256

    3c5d30608a580b2982d9bd6b337ebeec8c0fa86f9c5d1da92e0594fca038d6bc

    SHA512

    51baa63764579810cf47a34a5a2c022b6e7fc94b1e06e01481ac4847f9b9bd33c33337f34ba8476b80213aafcd03524e5ccad77c636318499e491fe6617ec24a

    Download Submit

  • C:\Windows\SysWOW64\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • C:\Windows\SysWOW64\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • C:\Windows\SysWOW64\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • C:\Windows\SysWOW64\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • C:\Windows\SysWOW64\ftpdll.dll
    Filesize

    5KB

    MD5

    d807aa04480d1d149f7a4cac22984188

    SHA1

    ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

    SHA256

    eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

    SHA512

    875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

    Download Submit

  • memory/3464-142-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3464-133-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3464-138-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3464-140-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3588-143-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3588-165-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3892-168-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3892-156-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4276-135-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4276-157-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4416-155-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4416-166-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4416-167-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4556-152-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4556-144-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4556-151-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4556-150-0x0000000010000000-0x000000001010B000-memory.dmp

    Filesize

    1.0MB

    Download