Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

a62d7efd18...82.exe

windows7-x64

10

a62d7efd18...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe

  • Size

    524KB

  • MD5

    223686ba9a056e632afd6a2204f75bf4

  • SHA1

    fae4073f0f021bb46765fc8690f02d63369455b4

  • SHA256

    a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82

  • SHA512

    93a2196ad6a1c4c2cc4011382e838da145effa45270af695aa6e1bee40c9a2fd1ccc36bfa8a5a9a582ed9377e1bf90af16577c293c18ca30cbf28bfec4966b3d

  • SSDEEP

    12288:m/XJJmzIMQL0sRjDGi5uj/C/OeP9TqdJy4Jt3E:mhJirsRjjkSUdJy4Jt3

Score
10/10
evasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 9 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
    "C:\Users\Admin\AppData\Local\Temp\a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Users\Admin\qr5i4eI0.exe
      C:\Users\Admin\qr5i4eI0.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Users\Admin\xuecol.exe
        "C:\Users\Admin\xuecol.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del qr5i4eI0.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4916
    • C:\Users\Admin\2hum.exe
      C:\Users\Admin\2hum.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Users\Admin\2hum.exe
        "C:\Users\Admin\2hum.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2164
      • C:\Users\Admin\2hum.exe
        "C:\Users\Admin\2hum.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1412
      • C:\Users\Admin\2hum.exe
        "C:\Users\Admin\2hum.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4192
      • C:\Users\Admin\2hum.exe
        "C:\Users\Admin\2hum.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:364
    • C:\Users\Admin\3hum.exe
      C:\Users\Admin\3hum.exe
      2⤵
      • Executes dropped EXE
      PID:4180
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 372
        3⤵
        • Program crash
        PID:2280
    • C:\Users\Admin\4hum.exe
      C:\Users\Admin\4hum.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c tasklist&&del a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:312
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4180 -ip 4180
    1⤵
      PID:4464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2hum.exe
      Filesize

      96KB

      MD5

      90d23730203c3fa5dbcb8a068fc28f7c

      SHA1

      d24dd53a400d27984aadc060a7a0ef084cb5a005

      SHA256

      3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

      SHA512

      13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

      Download Submit

    • C:\Users\Admin\2hum.exe
      Filesize

      96KB

      MD5

      90d23730203c3fa5dbcb8a068fc28f7c

      SHA1

      d24dd53a400d27984aadc060a7a0ef084cb5a005

      SHA256

      3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

      SHA512

      13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

      Download Submit

    • C:\Users\Admin\2hum.exe
      Filesize

      96KB

      MD5

      90d23730203c3fa5dbcb8a068fc28f7c

      SHA1

      d24dd53a400d27984aadc060a7a0ef084cb5a005

      SHA256

      3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

      SHA512

      13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

      Download Submit

    • C:\Users\Admin\2hum.exe
      Filesize

      96KB

      MD5

      90d23730203c3fa5dbcb8a068fc28f7c

      SHA1

      d24dd53a400d27984aadc060a7a0ef084cb5a005

      SHA256

      3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

      SHA512

      13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

      Download Submit

    • C:\Users\Admin\2hum.exe
      Filesize

      96KB

      MD5

      90d23730203c3fa5dbcb8a068fc28f7c

      SHA1

      d24dd53a400d27984aadc060a7a0ef084cb5a005

      SHA256

      3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

      SHA512

      13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

      Download Submit

    • C:\Users\Admin\2hum.exe
      Filesize

      96KB

      MD5

      90d23730203c3fa5dbcb8a068fc28f7c

      SHA1

      d24dd53a400d27984aadc060a7a0ef084cb5a005

      SHA256

      3084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8

      SHA512

      13992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726

      Download Submit

    • C:\Users\Admin\3hum.exe
      Filesize

      101KB

      MD5

      1e8c6e21a447e947c7dcbeb9ccf79f81

      SHA1

      78998e36435c58e2be3bc3f737d8d0f402d5a576

      SHA256

      40323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767

      SHA512

      31bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55

      Download Submit

    • C:\Users\Admin\3hum.exe
      Filesize

      101KB

      MD5

      1e8c6e21a447e947c7dcbeb9ccf79f81

      SHA1

      78998e36435c58e2be3bc3f737d8d0f402d5a576

      SHA256

      40323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767

      SHA512

      31bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55

      Download Submit

    • C:\Users\Admin\4hum.exe
      Filesize

      212KB

      MD5

      a755f176cd1cc2f7104ae0309bd35a41

      SHA1

      3bcece3625dc7fe38c551a6f25bd61e7c4cbc892

      SHA256

      979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640

      SHA512

      268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0

      Download Submit

    • C:\Users\Admin\4hum.exe
      Filesize

      212KB

      MD5

      a755f176cd1cc2f7104ae0309bd35a41

      SHA1

      3bcece3625dc7fe38c551a6f25bd61e7c4cbc892

      SHA256

      979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640

      SHA512

      268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0

      Download Submit

    • C:\Users\Admin\qr5i4eI0.exe
      Filesize

      328KB

      MD5

      9aae23da87aeef9bb56c08f760442ab2

      SHA1

      b1627a775b2f5d2a72742829326a66e684839268

      SHA256

      77d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f

      SHA512

      13026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73

      Download Submit

    • C:\Users\Admin\qr5i4eI0.exe
      Filesize

      328KB

      MD5

      9aae23da87aeef9bb56c08f760442ab2

      SHA1

      b1627a775b2f5d2a72742829326a66e684839268

      SHA256

      77d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f

      SHA512

      13026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73

      Download Submit

    • C:\Users\Admin\xuecol.exe
      Filesize

      328KB

      MD5

      b5cfe00dc96de5f06acb051866a07689

      SHA1

      f7747b524d9454b4263d0e493a0bc4d94987b3a3

      SHA256

      70cd4e6c38e1e0253865c022c3d83016f5e3b5b355a9204ff57fb5bf6c27bcf2

      SHA512

      8161365e74550889e4e01b0950a61975bbace15ee2becd58067105256848144b18bd9287e18b95f3ed69a765fbaa1cadd4b3479bdb29eb4610bac2d970a4141d

      Download Submit

    • C:\Users\Admin\xuecol.exe
      Filesize

      328KB

      MD5

      b5cfe00dc96de5f06acb051866a07689

      SHA1

      f7747b524d9454b4263d0e493a0bc4d94987b3a3

      SHA256

      70cd4e6c38e1e0253865c022c3d83016f5e3b5b355a9204ff57fb5bf6c27bcf2

      SHA512

      8161365e74550889e4e01b0950a61975bbace15ee2becd58067105256848144b18bd9287e18b95f3ed69a765fbaa1cadd4b3479bdb29eb4610bac2d970a4141d

      Download Submit

    • memory/364-171-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/364-166-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/364-180-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/364-173-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1412-151-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1412-164-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1412-176-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1412-182-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1412-191-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1664-197-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1664-196-0x0000000000590000-0x00000000005CD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1664-195-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2164-160-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2164-149-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2164-148-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2164-145-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2164-183-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4192-181-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4192-167-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4192-161-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4192-157-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download