Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

238e286a3b...cd.exe

windows7-x64

8

238e286a3b...cd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe

  • Size

    393KB

  • MD5

    53fb4a3b26d43ad7192f374452eacb7d

  • SHA1

    031853042d0b205117be47c6d92cc580c6b56ce7

  • SHA256

    238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

  • SHA512

    f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

  • SSDEEP

    6144:ZBgh/58KGip9lmh0UwwDdxtPw13OyhFR8uHC+4VL6eHn3ttqPgJog:ZBMmKGnhDT+JlCLRueH3rz

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
    "C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
      "C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe"
      2⤵
        PID:4652
      • C:\Windows\system\svchost.exe
        C:\Windows\system\svchost.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\system\svchost.exe
          "C:\Windows\system\svchost.exe"
          3⤵
          • Executes dropped EXE
          PID:1996
      • C:\Windows\system\svchost.exe
        C:\Windows\system\svchost.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\system\svchost.exe
          "C:\Windows\system\svchost.exe"
          3⤵
          • Executes dropped EXE
          PID:1260

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\svchost.exe
      Filesize

      393KB

      MD5

      53fb4a3b26d43ad7192f374452eacb7d

      SHA1

      031853042d0b205117be47c6d92cc580c6b56ce7

      SHA256

      238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

      SHA512

      f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      393KB

      MD5

      53fb4a3b26d43ad7192f374452eacb7d

      SHA1

      031853042d0b205117be47c6d92cc580c6b56ce7

      SHA256

      238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

      SHA512

      f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      393KB

      MD5

      53fb4a3b26d43ad7192f374452eacb7d

      SHA1

      031853042d0b205117be47c6d92cc580c6b56ce7

      SHA256

      238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

      SHA512

      f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      393KB

      MD5

      53fb4a3b26d43ad7192f374452eacb7d

      SHA1

      031853042d0b205117be47c6d92cc580c6b56ce7

      SHA256

      238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

      SHA512

      f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

      Download Submit

    • C:\Windows\system\svchost.exe
      Filesize

      393KB

      MD5

      53fb4a3b26d43ad7192f374452eacb7d

      SHA1

      031853042d0b205117be47c6d92cc580c6b56ce7

      SHA256

      238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

      SHA512

      f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

      Download Submit

    • memory/220-159-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/220-153-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/1996-158-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1996-151-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4228-154-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/4228-157-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/4652-136-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4652-155-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4652-156-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4652-134-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4956-144-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/4956-132-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/4956-137-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download