Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

CB.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    11s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2023, 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CB.exe

  • Size

    5.1MB

  • MD5

    ca13426a9adef47c1fab4bb8b7f26316

  • SHA1

    460f9bc4b75e4fd43d144bb88b57bf5623fe7cbf

  • SHA256

    aa06a4ca3e1d11de166b79ffb65c1a574020969e76d0c6c3e4717633b1dac098

  • SHA512

    f73a6d974c0e4c69af3d849457589573209c3fe11d72ac8de9d654dd5a22afff7b73f73bb4410d173c8f395d1b69d346c9eaf860956392c5495686ce3f078e08

  • SSDEEP

    98304:qNlp/LhuMwTc2ulqmS4G1cTL+oLvxbHyTKBACJUGT2+Zhopdck9T5Se:qNlpjhgdulqmLwOR1HjvJ9T2+Zypts

Score
7/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CB.exe
    "C:\Users\Admin\AppData\Local\Temp\CB.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c MODE CON COLS=60 LINES=12
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\mode.com
        MODE CON COLS=60 LINES=12
        3⤵
          PID:1856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Color A
        2⤵
          PID:3528
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c start www.sumatracit.xyz
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sumatracit.xyz/
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe321646f8,0x7ffe32164708,0x7ffe32164718
              4⤵
                PID:4380

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2084-133-0x0000000000AB0000-0x000000000136D000-memory.dmp

          Filesize

          8.7MB

          Download

        • memory/2084-134-0x0000000000AB0000-0x000000000136D000-memory.dmp

          Filesize

          8.7MB

          Download