Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

e5f5ca11bc...41.exe

windows7-x64

8

e5f5ca11bc...41.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    170s
  • max time network
    508s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641.exe

  • Size

    375KB

  • MD5

    58f15794b6cb886072b48d5f7adcbe5d

  • SHA1

    7dc06fe444373e306abd9d08cb5259ee5534318f

  • SHA256

    e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

  • SHA512

    d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

  • SSDEEP

    6144:i3TqoIetsvlJ4DGBdu2YpJ3qOe4yufYspgrGQVUAt5OCHmQRGRCnpGj:elI88z4yBU/3qO5yx1rGrAt5OCHjgC0j

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Modifies Installed Components in the registry 2 TTPs 10 IoCs
    persistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 32 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641.exe
    "C:\Users\Admin\AppData\Local\Temp\e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      2⤵
        PID:3340
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        2⤵
          PID:2028
        • C:\Users\Admin\AppData\Local\Temp\e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641.exe
          C:\Users\Admin\AppData\Local\Temp\e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641.exe
          2⤵
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4232
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            3⤵
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\InstallDir\Dehew.exe
              "C:\Windows\InstallDir\Dehew.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1280
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                5⤵
                  PID:3368
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                  5⤵
                    PID:2372
                  • C:\Windows\InstallDir\Dehew.exe
                    C:\Windows\InstallDir\Dehew.exe
                    5⤵
                    • Executes dropped EXE
                    • Modifies Installed Components in the registry
                    • Adds Run key to start application
                    • Drops file in Windows directory
                    • Checks SCSI registry key(s)
                    • Suspicious use of SetWindowsHookEx
                    PID:4100
                • C:\Windows\InstallDir\Dehew.exe
                  "C:\Windows\InstallDir\Dehew.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:3456
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                    5⤵
                      PID:1812
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      5⤵
                        PID:4556
                      • C:\Windows\InstallDir\Dehew.exe
                        C:\Windows\InstallDir\Dehew.exe
                        5⤵
                        • Executes dropped EXE
                        • Modifies Installed Components in the registry
                        • Adds Run key to start application
                        • Drops file in Windows directory
                        • Checks SCSI registry key(s)
                        • Suspicious use of SetWindowsHookEx
                        PID:2656
                    • C:\Windows\InstallDir\Dehew.exe
                      "C:\Windows\InstallDir\Dehew.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4112
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                        5⤵
                          PID:3552
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                          5⤵
                            PID:2112
                          • C:\Windows\InstallDir\Dehew.exe
                            C:\Windows\InstallDir\Dehew.exe
                            5⤵
                            • Executes dropped EXE
                            • Modifies Installed Components in the registry
                            • Adds Run key to start application
                            • Drops file in Windows directory
                            • Checks SCSI registry key(s)
                            • Suspicious use of SetWindowsHookEx
                            PID:1916
                        • C:\Windows\InstallDir\Dehew.exe
                          "C:\Windows\InstallDir\Dehew.exe"
                          4⤵
                          • Executes dropped EXE
                          PID:2660
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                            5⤵
                              PID:4620

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • C:\Windows\InstallDir\Dehew.exe
                      Filesize

                      375KB

                      MD5

                      58f15794b6cb886072b48d5f7adcbe5d

                      SHA1

                      7dc06fe444373e306abd9d08cb5259ee5534318f

                      SHA256

                      e5f5ca11bc1b9933c77af6229c4deaa74c9e259f2fffe20cd9b1f17dff603641

                      SHA512

                      d296641d8408c61a010b4d17d1dd8920cca3530175de1be7a05ca24f1b8fedb6a464016d8d7b87390afe17cdf08bbb6c57c4c8a81176161265ad834fd341bd21

                      Download Submit

                    • memory/1916-222-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/1916-221-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/2656-195-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2656-200-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/2656-196-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2656-194-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2656-198-0x00000000102CA000-0x000000001031B000-memory.dmp

                      Filesize

                      324KB

                      Download

                    • memory/2656-199-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/2880-153-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/3340-133-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/3340-134-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/3340-135-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4100-173-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4100-177-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/4100-172-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4100-176-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/4100-175-0x00000000102CA000-0x000000001031B000-memory.dmp

                      Filesize

                      324KB

                      Download

                    • memory/4100-174-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4232-145-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4232-148-0x00000000102CA000-0x000000001031B000-memory.dmp

                      Filesize

                      324KB

                      Download

                    • memory/4232-147-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4232-146-0x0000000010000000-0x000000001031C000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/4232-149-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/4232-150-0x00000000102CA000-0x000000001031B000-memory.dmp

                      Filesize

                      324KB

                      Download

                    • memory/4232-151-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/4232-154-0x0000000010001000-0x00000000102CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download