Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

3f9b441a17...d9.exe

windows7-x64

10

3f9b441a17...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2023, 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f9b441a175a193c1cabb3a9ec897659e0ec44dcdef27bf4e3b6a172a97d50d9.exe

  • Size

    20KB

  • MD5

    4bd60f1b3463985964e0c1a4a5b2dd14

  • SHA1

    440008219d6a344936cb49206b79664dd333a307

  • SHA256

    3f9b441a175a193c1cabb3a9ec897659e0ec44dcdef27bf4e3b6a172a97d50d9

  • SHA512

    4c9666f0e9b36cb6a995bf2d4341b8e6fd17bfddd32658f83379da08912207569dce45f64d76c5c557abf8359b31a90bcdd907f4cda8c0128a8d481b2b7875d1

  • SSDEEP

    48:yqS3foSm+p47EF9YS1GYFzf3sFzRpP4oyl1vgclVKsKtN:1SXp47I9YSEgzkzzP4oynP

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f9b441a175a193c1cabb3a9ec897659e0ec44dcdef27bf4e3b6a172a97d50d9.exe
    "C:\Users\Admin\AppData\Local\Temp\3f9b441a175a193c1cabb3a9ec897659e0ec44dcdef27bf4e3b6a172a97d50d9.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4160
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:/Users/Public/Documents/2022060128.vbe
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060128.vbe"
        3⤵
          PID:696
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Users\Public\Documents\k4.exe
        "C:\Users\Public\Documents\k4.exe"
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious use of SetWindowsHookEx
        PID:4984

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\setting.ini
      Filesize

      13B

      MD5

      0500175d0546cf7641d4bbb386acf5d8

      SHA1

      525881f9d3f19477f7560609e0806dacfada99c9

      SHA256

      a3bf48d17c8f3537b3b459ae7fcf9c554771c3a5523d0de7c229fe12ca93ce22

      SHA512

      21243c4ae3cfe932f483e887bc55f75df2db18623ecc52e5e016b3aba645fa8de2d0b428a7518b4a28842166b6769537ac4937772380a051836301a24a01782d

      Download Submit

    • C:\Users\Class.dll
      Filesize

      900KB

      MD5

      7e43b8e8db51e99ed8dd5fa78899c1f0

      SHA1

      12aafcd74f64a9df87e5a2a32091e0ae8d1ba205

      SHA256

      ffb05670c59ee21b82df879323f36ea1a93a65851994b7735561ed68e9012d99

      SHA512

      cb079548b68471032af232b25ee4692c34e80eedb9c58c71b18b1a72d80bab5feb44ed27e5d0d12b742eebfed9639f8003322ddd1a6158a6cb9966770a95d794

      Download Submit

    • C:\Users\Class.dll
      Filesize

      900KB

      MD5

      7e43b8e8db51e99ed8dd5fa78899c1f0

      SHA1

      12aafcd74f64a9df87e5a2a32091e0ae8d1ba205

      SHA256

      ffb05670c59ee21b82df879323f36ea1a93a65851994b7735561ed68e9012d99

      SHA512

      cb079548b68471032af232b25ee4692c34e80eedb9c58c71b18b1a72d80bab5feb44ed27e5d0d12b742eebfed9639f8003322ddd1a6158a6cb9966770a95d794

      Download Submit

    • C:\Users\Public\Documents\2022060128.vbe
      Filesize

      178B

      MD5

      19dcd917cf91e2f9bc6fef28a04adb08

      SHA1

      715c433ca6bc8df6def5adfe14320e28a4bf7052

      SHA256

      0db905ac801366af61ffdd829ecb3a89bcefc9538059ca37ea62161a6d4ca74e

      SHA512

      40df6373bfe3d859d43920d2d6ecc554272028374d4188b43e9d05435863ee99c43e0595d4c8be9198cc5da72093176d86029a414f9020aba264a5daa36e0a0c

      Download Submit

    • C:\Users\Public\Documents\2022060128.vbe
      Filesize

      178B

      MD5

      19dcd917cf91e2f9bc6fef28a04adb08

      SHA1

      715c433ca6bc8df6def5adfe14320e28a4bf7052

      SHA256

      0db905ac801366af61ffdd829ecb3a89bcefc9538059ca37ea62161a6d4ca74e

      SHA512

      40df6373bfe3d859d43920d2d6ecc554272028374d4188b43e9d05435863ee99c43e0595d4c8be9198cc5da72093176d86029a414f9020aba264a5daa36e0a0c

      Download Submit

    • C:\Users\Public\Documents\k4.exe
      Filesize

      892KB

      MD5

      33e29221e2825001d32f78632217d250

      SHA1

      9122127fc91790a1edb78003e9b58a9b00355ed5

      SHA256

      65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

      SHA512

      01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

      Download Submit

    • C:\Users\Public\Documents\k4.exe
      Filesize

      892KB

      MD5

      33e29221e2825001d32f78632217d250

      SHA1

      9122127fc91790a1edb78003e9b58a9b00355ed5

      SHA256

      65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

      SHA512

      01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

      Download Submit

    • C:\Users\Public\Documents\nnm.lnk
      Filesize

      1KB

      MD5

      a0f63fb66b28ebb350ec2d349e2d227b

      SHA1

      2d4c88e3b973d2f43c7c5246cb03bbbda3030a6b

      SHA256

      9754145aa75a07444aeeb0ef3a7acdeb2254edf1212cb9b3b52c633e7ae0c1e9

      SHA512

      6c69f1788b0ea7979d0462de84f336edd9c0b80e8c33a724079c33f5c10f87bce29b34b8aebc20011def6ee93b827ccfded73f55bbcc521da842d76476a89e2a

      Download Submit

    • memory/4160-3088-0x00000000753F0000-0x000000007546A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4160-2083-0x0000000075CD0000-0x0000000075E70000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4160-6727-0x0000000010000000-0x00000000100E1000-memory.dmp

      Filesize

      900KB

      Download

    • memory/4160-145-0x0000000076E20000-0x0000000077035000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4160-144-0x0000000010000000-0x00000000100E1000-memory.dmp

      Filesize

      900KB

      Download

    • memory/4160-6738-0x00000000033D0000-0x00000000034D0000-memory.dmp

      Filesize

      1024KB

      Download