Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

fe4b50fecb...ee.exe

windows7-x64

8

fe4b50fecb...ee.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee.exe

  • Size

    17KB

  • MD5

    31eb00e4884b371aaa5302699e0e6f75

  • SHA1

    45ba700180d087e003a61bd17e8a9034a39d879d

  • SHA256

    fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee

  • SHA512

    862a4e7faa9c958375ec1276e7c04daf051a531a680c82b44e110fba20833b81e740be6cd052285637d5043fc2939dadcba51184e672edda3e2ca57ea138835c

  • SSDEEP

    384:YHpwViqRd2ca4VoJOxXnV8sLUlGCmrRQXSvYEQECaNJawcudoD7UB:YHoq/kmsgMCG+XSHTjnbcuyD7U

Score
8/10
evasionupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee.exe
    "C:\Users\Admin\AppData\Local\Temp\fe4b50fecb15897d058be7ae401d5d50a093eb4edadfbc896e81ac0ee42000ee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1A4.tmp\bnm2.bat""
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:5040
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\system32\drivers\hosts
        3⤵
        • Views/modifies file attributes
        PID:2160
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\system32\hosts
        3⤵
        • Views/modifies file attributes
        PID:3624
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -h -r C:\Windows\hosts
        3⤵
        • Views/modifies file attributes
        PID:3232
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2116
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\system32\drivers\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:460
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\system32\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:396
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r C:\Windows\hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4308
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:3396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A1A4.tmp\b2e.dll
    Filesize

    31KB

    MD5

    7b860f28be19d4aef761fb991134a556

    SHA1

    0658a7456d0234dcca598b6ee599fe134d0ecd61

    SHA256

    57a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc

    SHA512

    a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A1A4.tmp\bnm2.bat
    Filesize

    5KB

    MD5

    9e80a79d25b637efe0296afc170b076d

    SHA1

    ebbc541478ab9ee46101a6b410a1bb5a2f7d7bba

    SHA256

    7d647475d092c3babc6b75def1af0bfd36386658fcdb0b1aa7136030add3fa8d

    SHA512

    8a16eac5952406a333e54af152756c07a7fb1e22c77c69069fa96671ae90ac0a933564d10de754f98a3e3e33bed105f942de161968cad40bff5cc94f6508bc88

    Download Submit

  • memory/868-132-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/868-145-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download