Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

51a709bfee...57.exe

windows7-x64

8

51a709bfee...57.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2023, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51a709bfee4438611f3afbe3fd4a9257.exe

  • Size

    580KB

  • MD5

    51a709bfee4438611f3afbe3fd4a9257

  • SHA1

    7352a87e19c7b949643811d50b0a6f0e170cf6ac

  • SHA256

    1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

  • SHA512

    e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16

  • SSDEEP

    12288:PKqjWycOHr+5n1UxrSAHAhsxwpdBLIartbDA+VI2CZQi6sFIMyYOGqa4c:PKgyTmQyaTBN5k+VI2Cx6

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51a709bfee4438611f3afbe3fd4a9257.exe
    "C:\Users\Admin\AppData\Local\Temp\51a709bfee4438611f3afbe3fd4a9257.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
  • C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe
    C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 4944 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\51a709bfee4438611f3afbe3fd4a9257.exe.log
    Filesize

    621B

    MD5

    84ea4e5aedfded07182bbc69fa81eaff

    SHA1

    d82d998cb3d655c49dba4fb923a3fc360a285ea2

    SHA256

    299408135f6f265d6db7d42d5454a9be41bea2f72d8bb438d835de7c88c77653

    SHA512

    7f654f76cb24399a8e8d35c2f5571b1560b7cbc38656ff687c88bdae4dff49437cc218653441380247b6de484be6557b62b138bb725f8a94b4e776175c979a60

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    49e7d5f2a296b59afec08bc314bed998

    SHA1

    7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

    SHA256

    394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

    SHA512

    f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    85618f28ab1279a44b5027fb2bd7ddea

    SHA1

    360f66dcc8d079e74afef69e3a204170ae01a4a5

    SHA256

    d917a65c5fb3257c60a0633df5bf10135eecf86efa9a2f929474e2fbd6de38f1

    SHA512

    47f6183a4586362b6d215fc13f990f78c05b5da96f07efab64f4b425613fc12e110cb847b33268648b424a5e314fa68da91d68dc1959655cbaae9836bfc6fc6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe
    Filesize

    580KB

    MD5

    51a709bfee4438611f3afbe3fd4a9257

    SHA1

    7352a87e19c7b949643811d50b0a6f0e170cf6ac

    SHA256

    1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

    SHA512

    e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16

    Download Submit

  • C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe
    Filesize

    580KB

    MD5

    51a709bfee4438611f3afbe3fd4a9257

    SHA1

    7352a87e19c7b949643811d50b0a6f0e170cf6ac

    SHA256

    1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

    SHA512

    e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16

    Download Submit

  • memory/1980-139-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1980-136-0x000002AC47440000-0x000002AC47462000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1980-142-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2508-150-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2508-149-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4944-141-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4944-143-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4944-147-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5100-134-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5100-133-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5100-132-0x0000000000180000-0x0000000000216000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5100-140-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

    Filesize

    10.8MB

    Download