Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

97c5a2a43d...12.exe

windows7-x64

8

97c5a2a43d...12.exe

windows10-2004-x64

8

Resubmissions

26/12/2022, 02:17

221226-cq1taafe7t 8

26/12/2022, 01:37

221226-b16lvafe6s 8

26/12/2022, 01:34

221226-by65lacd25 8

25/12/2022, 04:48

221225-fff8nsbb39 10

Analysis

  • max time kernel
    282s
  • max time network
    292s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2022, 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe

  • Size

    1.6MB

  • MD5

    5015b3096f5bf7039c82684c2d88bf2c

  • SHA1

    24aada32e2ac068d737866b6561e64a20f10f65e

  • SHA256

    97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12

  • SHA512

    808031a37f169702a6e495bbd7597a8a2dd6c7e0d9690d35b4b822aff59987db5674bea0a2da042343313463860f8ef987276a8f92fc670b541e091c99f5045b

  • SSDEEP

    49152:g2LdRphDBhCTGFMWDumigm0pCiO5BAD70TfhxWYAhiISV:g2JRphjZM2UCGrIm

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
    "C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Engine.exe
      C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Engine.exe /TH_ID=_4216 /OriginExe="C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd < 5
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avastui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avgui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^4172427212736811499564357707315395374551589040599087952093583091844164705808632821$" 3
            5⤵
              PID:3252
            • C:\Users\Admin\AppData\Local\Temp\njv3bvgd.5b1\21493\Participant.exe.pif
              21493\\Participant.exe.pif 21493\\P
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1120
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3808
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 8
              5⤵
              • Runs ping.exe
              PID:1548
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4884
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:4092
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Checks processor information in registry
      • Modifies registry class
      PID:2480

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      def65711d78669d7f8e69313be4acf2e

      SHA1

      6522ebf1de09eeb981e270bd95114bc69a49cda6

      SHA256

      aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

      SHA512

      05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      fba244702b72a5ec28bc5e912863d3ed

      SHA1

      109d5c97a782999b6dce8013b1c880c9e273d04c

      SHA256

      f121d9e1c956c3f0b3b5146c2f8cf09797fcd0180928ce6b11c821da8717b67d

      SHA512

      be6dd81faccc94208f610bbaca198f4e16d348fc0d7b7331c6e8edeb5e0bedbceabb333595613b7e893cbfa51fe9ed9f49fa39be18e416612b463baa3d802f98

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\00000#3
      Filesize

      872KB

      MD5

      9cd9369d3dc8824248464570a212e564

      SHA1

      a9880b7367c0c1e7a560fd9bc68c7561847d65d8

      SHA256

      cd1408c1e426684ffbe76ff868ed7e9cf0a56617dc2817243c9314653b1c3cdf

      SHA512

      64bf6265cde11d0f4ab36a6178b5aa2239468871f7b02513b7b9aa9721e8e217e87316e21acc951ea2c99bb194bb6f278ccef98fe127cb65407f85d150c71eca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\00001#5
      Filesize

      12KB

      MD5

      766ec43b82895b93ac97641978856551

      SHA1

      af4184b1ea5a2314773cbb85aa6bc9c21f41aa87

      SHA256

      63e7a1799d65555bf0fef6b3b7ffe388657f8010d17f6ec73a16d8804ae75d34

      SHA512

      597bd5019d92d616b8e86d246770e9b6dfa40cf2d3c70144f9efe9bbacd50950623bbb167b1dc54b5198e917a128839ca93edc9019ab5f1042649c4a13e44611

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\00002#7
      Filesize

      1.5MB

      MD5

      268a482ed5ef9f3209bec71d291a19e7

      SHA1

      11e94a6f5360dabcd60a2329b86ec28c2e8ca38c

      SHA256

      1921ce205f4ef1a01a0c5dd326499dc26d3f9588888c97d59aa42917ba053bed

      SHA512

      9d43663903c23777b5e7408b73fea94885f07019a9cecc95b43641fb2712e1187d0bdef8bc5323667535f3f6c77ae8b587d6c6baa09a2b05ab420b2501455beb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Engine.exe
      Filesize

      392KB

      MD5

      a7a99a201774531d761f6aac2651a9df

      SHA1

      b122ae368c4bf103e959a6ebb54ddb310117ab96

      SHA256

      e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

      SHA512

      056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Engine.exe
      Filesize

      392KB

      MD5

      a7a99a201774531d761f6aac2651a9df

      SHA1

      b122ae368c4bf103e959a6ebb54ddb310117ab96

      SHA256

      e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

      SHA512

      056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Modern_Icon.bmp
      Filesize

      7KB

      MD5

      1dd88f67f029710d5c5858a6293a93f1

      SHA1

      3e5ef66613415fe9467b2a24ccc27d8f997e7df6

      SHA256

      b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

      SHA512

      7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SETUP_26755\Setup.txt
      Filesize

      2KB

      MD5

      cae83309280eb1febee041b70be024fd

      SHA1

      c3a773b4c1430dcbabcc7687a98aaccf12710443

      SHA256

      a3e3ef834ab038542f3ba5bfbae89d63bb147c270663ecbb0420b1a68e1d7255

      SHA512

      e1bdcf17fd22f55c66e4fc99b202cdc27d6135308158739cdcca519d5a1b3ae28e3c4d1a018b47d600410b91b779d468b113ad8e9fd583e589567abf141b3949

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\njv3bvgd.5b1\21493\Participant.exe.pif
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • memory/1544-144-0x00000000026E0000-0x0000000002716000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1544-145-0x0000000005390000-0x00000000059B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1544-146-0x0000000005150000-0x0000000005172000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1544-147-0x00000000052F0000-0x0000000005356000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1544-148-0x00000000059C0000-0x0000000005A26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1544-149-0x0000000006000000-0x000000000601E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1544-150-0x0000000007010000-0x00000000070A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1544-151-0x00000000064E0000-0x00000000064FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1544-152-0x0000000006530000-0x0000000006552000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1544-153-0x0000000007660000-0x0000000007C04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2580-136-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2580-161-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2580-162-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3808-164-0x0000000000D70000-0x0000000000E16000-memory.dmp

      Filesize

      664KB

      Download

    • memory/3808-166-0x0000000005350000-0x00000000053E2000-memory.dmp

      Filesize

      584KB

      Download