Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

e33f409856...5d.exe

windows7-x64

8

e33f409856...5d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe

  • Size

    569KB

  • MD5

    7fd9af1c1a854f847f2ffe95458dcfd9

  • SHA1

    7c8b78682ab85ee6a2e2800485d6889560490cc7

  • SHA256

    e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d

  • SHA512

    c53eeacad56a512bdc55f92a463b6d8f5858cdd900027b5ef250b9af64e1f36ec91f888d74dbd0245058cea7dc646e6c074315d3f71ad4eaefda8c7fd5c180d6

  • SSDEEP

    12288:f3nZMhJ+ubN8pqZP9keT9hbdotzjnzrrm837L+R/4YjunOL0vyqqaw:f3nZqfb+pqZVkeT9hbmzPmHtvun8ww

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
    "C:\Users\Admin\AppData\Local\Temp\e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\wina.exe
      "C:\Users\Admin\AppData\Local\Temp\wina.exe" -papapa
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\svghost.exe
        "C:\Users\Admin\AppData\Local\Temp\svghost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        PID:4376
    • C:\Users\Admin\AppData\Local\Temp\Tibia.exe
      "C:\Users\Admin\AppData\Local\Temp\Tibia.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\updater.exe
        "C:\Users\Admin\AppData\Local\Temp\updater.exe" 0;0;1104;2300
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
  • C:\Windows\System32\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
    1⤵
      PID:1520
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3776
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3792
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:4232

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Tibia.exe
      Filesize

      343KB

      MD5

      4ff5f5486f49137cf5919acf6dd6a99b

      SHA1

      aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

      SHA256

      f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

      SHA512

      b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tibia.exe
      Filesize

      343KB

      MD5

      4ff5f5486f49137cf5919acf6dd6a99b

      SHA1

      aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

      SHA256

      f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

      SHA512

      b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svghost.exe
      Filesize

      501KB

      MD5

      a252c588ae7c5ef6c86be590c86a9c8e

      SHA1

      232bfa074deeea0d1435e42abbf5b57e75eb7e12

      SHA256

      1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

      SHA512

      619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svghost.exe
      Filesize

      501KB

      MD5

      a252c588ae7c5ef6c86be590c86a9c8e

      SHA1

      232bfa074deeea0d1435e42abbf5b57e75eb7e12

      SHA256

      1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

      SHA512

      619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\updater.exe
      Filesize

      88KB

      MD5

      b2424fda6bec648a48263784e27722de

      SHA1

      4fb66ac21edd9b3243c36ce2f2c32cb7270e007b

      SHA256

      ba0d15bec9e42159c9675eabea6a8ef068906fb324b6716f54345a87f81a1731

      SHA512

      8b86f8c9b372b94c66185ffd94ca2e5ad66be576afba2327814a10fd131bd1e38f4bab92459570023328264b9faf687292e04ff37e25ef2d3d76b09fac8bee30

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\updater.exe
      Filesize

      88KB

      MD5

      b2424fda6bec648a48263784e27722de

      SHA1

      4fb66ac21edd9b3243c36ce2f2c32cb7270e007b

      SHA256

      ba0d15bec9e42159c9675eabea6a8ef068906fb324b6716f54345a87f81a1731

      SHA512

      8b86f8c9b372b94c66185ffd94ca2e5ad66be576afba2327814a10fd131bd1e38f4bab92459570023328264b9faf687292e04ff37e25ef2d3d76b09fac8bee30

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wina.exe
      Filesize

      220KB

      MD5

      dc693b8d851d7474685d27767e9944d2

      SHA1

      6858885841bd97337984f0179fd0e7437a39db97

      SHA256

      0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

      SHA512

      afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wina.exe
      Filesize

      220KB

      MD5

      dc693b8d851d7474685d27767e9944d2

      SHA1

      6858885841bd97337984f0179fd0e7437a39db97

      SHA256

      0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

      SHA512

      afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

      Download Submit

    • memory/1732-147-0x00007FFD3FD30000-0x00007FFD40766000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/2300-138-0x00007FFD3FD30000-0x00007FFD40766000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/2300-143-0x000000000178A000-0x000000000178F000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2300-148-0x000000000178A000-0x000000000178F000-memory.dmp

      Filesize

      20KB

      Download