Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

3fb2ea468d...e2.exe

windows7-x64

7

3fb2ea468d...e2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01/04/2023, 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe

  • Size

    305KB

  • MD5

    e9e8c070b34b395489a18bd9cc5cfe97

  • SHA1

    5822461d43129b2501ef1e963bd3b4bcc182e40d

  • SHA256

    3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2

  • SHA512

    44706890d8ad5d74f217f2b245f3ea84434b84082e253d39bba537f61832f94155b2e6be654b3069ae38050a790c7f3c457ecec6b03520f957ac1d1fa21d114e

  • SSDEEP

    6144:/Ya6KLv4nsx++b52HokQCkaDsR3XBoQV5KIWanleg/K7rfbiiGi:/Y0LvrJAHI7QYkmnlzS7rAi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe
      "C:\Users\Admin\AppData\Local\Temp\3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
        "C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe" C:\Users\Admin\AppData\Local\Temp\irwxzea.nf
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          "C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2004
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1456
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1144
        • C:\Windows\SysWOW64\mstsc.exe
          "C:\Windows\SysWOW64\mstsc.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:1940

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\irwxzea.nf
          Filesize

          5KB

          MD5

          6ae5403c5208ef1be21da0cd8a2a6148

          SHA1

          a7d05f32e8d8cd3328b512715adb49c8a5d89214

          SHA256

          0a6eaf357edafed3b457a7038a9be8b4e323b2d87e12a3414be212a262cd8a21

          SHA512

          4cd00f509fd3d45c7c3c2d8fbb3a38930e204056df6fdc9549fdadedfbe4a3a326e8f89bc28cf891f649ba36c92175f534d019627c4677646ccbf937c24e301d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\mzwei.nv
          Filesize

          205KB

          MD5

          e75bf2acec6e9a536f58ba066ec0e05a

          SHA1

          a1a6b1fcd7e60d1f1a441574d7614f6da2370578

          SHA256

          603420dac511cb1c0a550f6db3b2f49da1d18a258f4f7110dd041ee2be35e4ee

          SHA512

          d7130aff461125c91625ffcf938a039058e5af307ec3891ecad04455dbf897efe1b6880fd86538cd52c34115a84d3d9e164c32768caf3d1c2332390a1cd0a8f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\upeho2.zip
          Filesize

          440KB

          MD5

          5d874a46532117f82095481976117fa1

          SHA1

          0a33fdef5084db25e24451dbde80238b487fbe78

          SHA256

          d6ccab1423559c6cf50202bc81a4576f969aa9c275eaaeb9a2ac2c827cd60447

          SHA512

          f0624277f3b4839c836291e1d1eb03cda875ba192243427afa967819b213f0cdade02f22e20b786b4680e4faaef20c045ad0a456d5f85fc04d3ab2e081ff4c61

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\sqlite3.dll
          Filesize

          841KB

          MD5

          5fc6cd5d5ca1489d2a3c361717359a95

          SHA1

          5c630e232cd5761e7a611e41515be4afa3e7a141

          SHA256

          85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

          SHA512

          5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

          Download Submit

        • \Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\wrlzkzy.exe
          Filesize

          147KB

          MD5

          6b34e3f7bf37f2269e6f86cae8e24ea1

          SHA1

          79b4bcd8bc97c506b3161985e1ba1e94344722af

          SHA256

          16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

          SHA512

          93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

          Download Submit

        • memory/1248-88-0x0000000006940000-0x0000000006A34000-memory.dmp

          Filesize

          976KB

          Download

        • memory/1248-84-0x0000000006940000-0x0000000006A34000-memory.dmp

          Filesize

          976KB

          Download

        • memory/1248-76-0x0000000002A00000-0x0000000002ABA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/1704-81-0x0000000000120000-0x000000000014D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1704-78-0x0000000000480000-0x0000000000584000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1704-80-0x0000000000480000-0x0000000000584000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1704-82-0x00000000021B0000-0x00000000024B3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1704-86-0x0000000001FA0000-0x000000000202F000-memory.dmp

          Filesize

          572KB

          Download

        • memory/1704-127-0x0000000061E00000-0x0000000061EBF000-memory.dmp

          Filesize

          764KB

          Download

        • memory/1704-132-0x0000000061E00000-0x0000000061EBF000-memory.dmp

          Filesize

          764KB

          Download

        • memory/1920-68-0x00000000002A0000-0x00000000002A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2004-74-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2004-75-0x00000000001B0000-0x00000000001C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-73-0x0000000000700000-0x0000000000A03000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2004-72-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2004-69-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download