Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

ares.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    167s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/02/2023, 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ares.exe

  • Size

    9.5MB

  • MD5

    33b25341be43c3772804c2c202042ec7

  • SHA1

    a4573a867e2cc0b7f0e9ddc9d7676aeb942f372b

  • SHA256

    2fb6c7512ed9b1685c5af73f6875ca6f085add60ed3ae09f914a73e37d16defe

  • SHA512

    0b867f1d87043fdd3e99f3a0c5371d95debd208e28600420c69f1b0b3d24861c78c3f2611db8097484b2e98bb2cc3cc67cd9c30e69b35f03d3c5a3621fa9deba

  • SSDEEP

    196608:CYQEuSzjBKnvBkWXCzEqRzFaubMeW3thIc3Pnk1atadP0xv:CYQOQvBbCzEQzvMe4gwnkbC

Score
7/10
agilenet

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ares.exe
    "C:\Users\Admin\AppData\Local\Temp\ares.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\054efc7d-d29a-413e-914f-9cb6be5ff5f6\rabu64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit

  • \Users\Admin\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll
    Filesize

    142KB

    MD5

    9c43f77cb7cff27cb47ed67babe3eda5

    SHA1

    b0400cf68249369d21de86bd26bb84ccffd47c43

    SHA256

    f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

    SHA512

    cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

    Download Submit

  • memory/1776-130-0x00000235782A0000-0x00000235782B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1776-119-0x0000023559E70000-0x0000023559E76000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1776-126-0x0000023559E80000-0x0000023559E86000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1776-129-0x0000023576E70000-0x0000023577B04000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1776-116-0x00000235591E0000-0x0000023559B70000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1776-131-0x0000023579640000-0x0000023579880000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1776-118-0x0000023574CE0000-0x0000023574DCA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/1776-133-0x00007FFA90DA0000-0x00007FFA90ECC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1776-134-0x000002357A1C0000-0x000002357A368000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1776-117-0x0000023573FD0000-0x0000023574CD8000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/1776-136-0x00007FFA8EA60000-0x00007FFA8EA87000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1776-137-0x00007FFA8EA60000-0x00007FFA8EA87000-memory.dmp

    Filesize

    156KB

    Download