Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

684f2b0f01...09.exe

windows7-x64

6

684f2b0f01...09.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe

  • Size

    137KB

  • MD5

    1eae5e7b0aa7d7d7bf08b9bdaddddac0

  • SHA1

    632e70ddd185f3198473ff706a569a4e2c6ddc79

  • SHA256

    684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609

  • SHA512

    bebec15aa16c7fc21cc7d75731f97fb79591b8258e331f7643739e9af860dc1d93b08ef07e60c402a75c6efa6f5e0c747ae31111f7e2314c2c55e994e388e5b8

  • SSDEEP

    3072:VEsUqjkvgA+rROXqDvZ4e/hCL3CQ9vnkuOfpYoizXKv6tF/JQEgUlW:5pjqgAvsR4e5CL3C+vdOfppIXKSNrpU

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe
    "C:\Users\Admin\AppData\Local\Temp\684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\AppData\Local\Temp\684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe
      "C:\Users\Admin\AppData\Local\Temp\684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\SysWOW64\mspaint.exe
          "C:\Windows\system32\mspaint.exe"
          4⤵
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4932
      • C:\Users\Admin\AppData\Local\Temp\684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe
        "C:\Users\Admin\AppData\Local\Temp\684f2b0f0154b876eb43841cb3a35ce25e319d85d826d688c12b0ffaa81c3609.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1452
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1580
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:4220

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      2e02780939de763a8bb3e91dfbf21980

      SHA1

      47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

      SHA256

      971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

      SHA512

      51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      729c0b2b6e6a7730fea9ecf2ddb65d2c

      SHA1

      16925e8c55ffdc5f5cee0874f01ab91b89837e0d

      SHA256

      f5de025757754ce8b3196f8cef8ce4bc832cb9e2ed521c3a7e17b8d667ecf54f

      SHA512

      41fb8fb62ec4e06a27817bfe8eec857755baaaa45594bd985fdaf20b81fa69d4b5adde08318eaf97ec576a9bb89abd681ad920fbddaad0a7c0909b9886da6b87

      Download Submit

    • memory/1092-136-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1092-132-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3324-145-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3324-147-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3324-140-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3324-142-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4500-137-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4500-146-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4500-134-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4932-149-0x0000000003C10000-0x0000000003C5E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4932-150-0x0000000003C10000-0x0000000003C5E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/5048-144-0x0000000000DA0000-0x0000000000DC1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5048-148-0x0000000003240000-0x000000000328E000-memory.dmp

      Filesize

      312KB

      Download