Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

f7aeae3028...00.exe

windows7-x64

10

f7aeae3028...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    28s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7aeae30288e4c7ba8a5b569a072a242667ef5406f9050997b3c690871d3a900.exe

  • Size

    20KB

  • MD5

    9096288e39894ed94911e40c9fe36784

  • SHA1

    670631575c12ab63492bd126b5f9377852dc5760

  • SHA256

    f7aeae30288e4c7ba8a5b569a072a242667ef5406f9050997b3c690871d3a900

  • SHA512

    a18d84884c538f9190545d0609fb703e460ef585a57d35cf5e5fd797cf0a348c96a33ee912a6162b142e9727a33fc5da9465f647cef1840671cadb64f1977c9b

  • SSDEEP

    384:vdaoCh/DyUqQG4t/esFLurnIIO/o3IVIzBmCZpadyjNQ+wAtSOv6c7p4N:vko6GFJ4t7ZurnIIO/o4IzoepadyBfj+

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Drivers directory 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7aeae30288e4c7ba8a5b569a072a242667ef5406f9050997b3c690871d3a900.exe
    "C:\Users\Admin\AppData\Local\Temp\f7aeae30288e4c7ba8a5b569a072a242667ef5406f9050997b3c690871d3a900.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:1300
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 000000000000000003000000000037e00000540000000000 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 000000000000000003000000000037e00000540000000000 /f
        3⤵
          PID:1216
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\checkexp.vbs"
        2⤵
        • Drops file in Drivers directory
        • Deletes itself
        • Drops startup file
        PID:272

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\checkexp.vbs
      Filesize

      1KB

      MD5

      9a621b4e12abd6a409fd201a63d45ef8

      SHA1

      47800a3c4688ee3a8aea6a289bd0b41065c8b3e4

      SHA256

      5d32897638bce331d8c441b9bdfb762ad9a6734dd5a230d5b67330cb2537f061

      SHA512

      9e194233af9955a20501c21b25f2e6777530136c0ab5767c7897ce3b545e89300ba6ab28959ccbe76a284033fd15d9ae53fea0158296157e48461c7d0d38a84c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hlp2
      Filesize

      769B

      MD5

      45954f9078276becd94b3e723803279f

      SHA1

      48fe4b9e46f989e26263e420041f3a9d1a1dfeb7

      SHA256

      86ab20e8a8167fbb13f9fe5456fa9bd7d72315bb342c184d2f38b64aaef102d1

      SHA512

      a1df12ed9975dfe5ec3d1b2e337e8c13f954dd6497541d2b388764036ddfae84f3ab2634996da2ae0c697e8e7728db73a847064ac94575d4c203cde635ad23c5

      Download Submit

    • memory/1928-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1928-55-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1928-61-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download