Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

bin-cr.exe

windows7-x64

6

bin-cr.exe

windows10-2004-x64

10

Resubmissions

14/04/2023, 09:46

230414-lrmgqaag8s 10

14/04/2023, 09:39

230414-lm3yxaag6y 10

13/04/2023, 06:38

230413-hd2spshh29 10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/04/2023, 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bin-cr.exe

  • Size

    2.1MB

  • MD5

    50d9ad764597d6970f0480b58c4cf88e

  • SHA1

    72c210f8b80c755a6f5198ca6dea509872dee98a

  • SHA256

    57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8

  • SHA512

    6d8bb209d50ec7a2349174255faa33696826d9c31eab7a22c63840afdc8711dd44bf42a35dad58c99f4ed1c057f4adaa913fe7e292afc1bee9482b5d08a02e07

  • SSDEEP

    24576:opwU6X5VuMFwg1SkQpRzFabsmVnR/ChijkYHGo5ExFNIprhIw0cNN4CJP6SSTzny:owVuMF5rbNWijJmA0cP42Jr

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
    "C:\Users\Admin\AppData\Local\Temp\bin-cr.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
      C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
      2⤵
        PID:1636
      • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
        C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
        2⤵
          PID:796
        • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
          C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
          2⤵
            PID:288
          • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
            C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
            2⤵
              PID:864
            • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
              C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
              2⤵
                PID:940
              • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                2⤵
                  PID:1640
                • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                  C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                  2⤵
                    PID:1632
                  • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                    C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                    2⤵
                      PID:1696
                    • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                      C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                      2⤵
                        PID:1820
                      • C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                        C:\Users\Admin\AppData\Local\Temp\bin-cr.exe
                        2⤵
                          PID:588

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/836-62-0x0000000002860000-0x00000000028A0000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/836-61-0x0000000002860000-0x00000000028A0000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1728-54-0x0000000000300000-0x000000000051E000-memory.dmp

                        Filesize

                        2.1MB

                        Download

                      • memory/1728-55-0x0000000004C00000-0x0000000004D6E000-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/1728-56-0x0000000000940000-0x000000000098E000-memory.dmp

                        Filesize

                        312KB

                        Download

                      • memory/1728-57-0x0000000004750000-0x00000000047E2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/1728-58-0x00000000042B0000-0x00000000042F0000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1728-63-0x00000000042B0000-0x00000000042F0000-memory.dmp

                        Filesize

                        256KB

                        Download