Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8e13a61086...88.exe

windows7-x64

10

8e13a61086...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe

  • Size

    519KB

  • MD5

    5d25fac49860ba271904ab1bf7b3a3e9

  • SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

  • SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

  • SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

  • SSDEEP

    12288:pHuy6uI17ZFaRfXR9TD2pLh7QH0wJ0X2ppGqvplz+cjvWBjYoS:tOR+XR9TD2pL1QH22pIqpl+o

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe
    "C:\Users\Admin\AppData\Local\Temp\8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\ITNZa.EXE
      "C:\ITNZa.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSrZV.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "cgs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cge\crgen.exe" /f
        3⤵
        • Adds Run key to start application
        PID:948
    • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
      "C:\Users\Admin\AppData\Roaming\cge\crgen.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
        C:\Users\Admin\AppData\Roaming\cge\crgen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:564
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cge\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cge\crgen.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cge\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cge\crgen.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1768
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:936
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1752
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\crgen.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\crgen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\crgen.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1848
      • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
        C:\Users\Admin\AppData\Roaming\cge\crgen.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ITNZa.EXE
    Filesize

    70KB

    MD5

    0433471d11abf320dbf44ac874b47596

    SHA1

    a647632a352ab64a51772da91364f3ae0cbb5369

    SHA256

    8a9640b6b83a32a6ad8247bfa155e4885edcd59ce3cead8bcf189667a48826f2

    SHA512

    84afd9cca3120dd0cceca08e7012ad7a54e5b8a65e8468a8104f5c3a9d1a9cd6ff289a396ffdbfc731dfc2af50501e12b49e23757f6eb39cf005af0831d84657

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HSrZV.bat
    Filesize

    132B

    MD5

    868bec696e993871ab22e39997b9a211

    SHA1

    89cba2b6d5867f08b605b08f90ac11d87ff1e042

    SHA256

    52101e8b6b1f463e825430d299b5dfdd6235ada62df93c2c30154a166cf09693

    SHA512

    a2a91cf48bea9a95d47e6811c05934980c7cbaa72610be0093eee9ba1a35b2513547577c12ef58bddb887f3dfc013bad5824e3169ebe2780f2ccb223175cee1d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • \Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • \Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • \Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • \Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • \Users\Admin\AppData\Roaming\cge\crgen.exe
    Filesize

    519KB

    MD5

    5d25fac49860ba271904ab1bf7b3a3e9

    SHA1

    8fae1aa5a01b39252b713a3364925d5430d6e56a

    SHA256

    8e13a6108622b66fca1518674d19629562220a02f5405a9ba081c77b5f407a88

    SHA512

    e71b73168d6d0a568c12c48c9e2cc56e267ce2dd3b3572393db02a56de582957ef34290501c4abda5bbf1acd3f59071ba885e747cd547bfaebc87ae4e4c9cb3d

    Download Submit

  • memory/640-94-0x0000000000400000-0x0000000000A68000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1352-65-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1364-85-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1364-99-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1364-91-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1364-93-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1368-80-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1368-89-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1368-84-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1368-110-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1368-98-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1552-62-0x00000000031E0000-0x0000000003211000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1552-63-0x00000000031F0000-0x0000000003221000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1552-56-0x0000000000400000-0x0000000000A68000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1552-64-0x00000000031F0000-0x0000000003221000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1552-76-0x0000000000400000-0x0000000000A68000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1552-57-0x0000000075681000-0x0000000075683000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1552-61-0x00000000031E0000-0x0000000003211000-memory.dmp

    Filesize

    196KB

    Download