Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

4dc320c75d...e3.exe

windows7-x64

10

4dc320c75d...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2023, 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe

  • Size

    360KB

  • MD5

    3a9fbd43fea6701ab3111db334660d38

  • SHA1

    98855962827d60522eb91f11be00d2969471f147

  • SHA256

    4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3

  • SHA512

    8f4e4ebff99f79358b43337eda9fa0e8f27daffa965691a738a4e421fcda382210df82939205f6e5218483e1ae04f93511df0136b5299c8bcd7e349ca54bef52

  • SSDEEP

    6144:KSy+bnr+Fp0yN90QEdGayzdq9+slMoebwSdLdQsJM9i7yT48gAaXh:2Mrty90Gah98lt/Qs6zc5x

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
    "C:\Users\Admin\AppData\Local\Temp\4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1080
        3⤵
        • Program crash
        PID:4752
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1268 -ip 1268
    1⤵
      PID:1944
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3628

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe
      Filesize

      362KB

      MD5

      5d81e061f10a4717c5280a205a96b146

      SHA1

      f576d4064f994a265b98a3b504a0e128699b0ee2

      SHA256

      4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

      SHA512

      a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe
      Filesize

      362KB

      MD5

      5d81e061f10a4717c5280a205a96b146

      SHA1

      f576d4064f994a265b98a3b504a0e128699b0ee2

      SHA256

      4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

      SHA512

      a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe
      Filesize

      12KB

      MD5

      2ec4640232b1848ae68845f48a57f912

      SHA1

      f104382796c69ca74f3c3305774819a738fc672f

      SHA256

      a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

      SHA512

      db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe
      Filesize

      12KB

      MD5

      2ec4640232b1848ae68845f48a57f912

      SHA1

      f104382796c69ca74f3c3305774819a738fc672f

      SHA256

      a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

      SHA512

      db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

      Download Submit

    • memory/1268-159-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-165-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-144-0x00000000072D0000-0x00000000072E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-146-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-147-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-149-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-151-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-153-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-155-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-157-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-143-0x00000000072D0000-0x00000000072E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-161-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-163-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-145-0x00000000072D0000-0x00000000072E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-167-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-169-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-171-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-173-0x0000000007140000-0x0000000007152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1268-174-0x0000000000400000-0x0000000002BC8000-memory.dmp

      Filesize

      39.8MB

      Download

    • memory/1268-175-0x00000000072D0000-0x00000000072E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-176-0x00000000072D0000-0x00000000072E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-177-0x00000000072D0000-0x00000000072E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-179-0x0000000000400000-0x0000000002BC8000-memory.dmp

      Filesize

      39.8MB

      Download

    • memory/1268-142-0x0000000002BD0000-0x0000000002BFD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1268-141-0x00000000072E0000-0x0000000007884000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1916-183-0x0000000000680000-0x000000000068A000-memory.dmp

      Filesize

      40KB

      Download