Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

eebd455e52...35.exe

windows7-x64

4

eebd455e52...35.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    181s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe

  • Size

    146KB

  • MD5

    82e6ceae0f6ef093e05b6ce49020e7a4

  • SHA1

    344dee197461b500c59a32bb2c401b8f15e550b1

  • SHA256

    eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135

  • SHA512

    a6e0b7abbd9593c1841b7aed2d3d313340313f3d7b91c5588bad9a5ef8a6dfb1021991f34ec4e829c02c4134930f78fca0aee9d2315aa06598c507c64e60a240

  • SSDEEP

    3072:wPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkJdoGTIcI:wPhaCEHpMGljt/RYkLBw

Score
8/10
persistence

Malware Config

Signatures

  • Registers new Print Monitor 2 TTPs 12 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 6 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe
    "C:\Users\Admin\AppData\Local\Temp\eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt3434.bat
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im ecplor*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rpstat.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4220
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im npver.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:212
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im setup.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im spoolsv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im cmd.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3168
  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
    • Registers new Print Monitor
    • Checks SCSI registry key(s)
    PID:2320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bt3434.bat
    Filesize

    504B

    MD5

    b2ae7735031c2db845aee3231c28f607

    SHA1

    0fc7f68a282715546f45de37db2d27424c690db0

    SHA256

    4135696da8b0211576842a030b2682d5d8938ced79d07752756752fa90988830

    SHA512

    f904c214db324052b0248b74881e2079438a49d972eb4227a14d09de6b0989cedd1644f0cd230cd2b00d0bd1bee5191def4ba921158c87f10b7b95f02a88f4e6

    Download Submit