Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

28632077ab...40.exe

windows7-x64

9

28632077ab...40.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2023, 15:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40.exe

  • Size

    188KB

  • MD5

    469eb4d876c8bd2093e47d2474fbc59b

  • SHA1

    0ff84a77d24839137002c56e9ff60c7f92080ca8

  • SHA256

    28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40

  • SHA512

    73cd7507ad38e5958f7e82fef52282eb2793d4cd1290178f0d51c9884a27e80e81bb6af266b5984ba5dfef69edde322fecd898e305cdd7e4a57519caa7abd594

  • SSDEEP

    3072:aaCAV9WB4UAZgRAg9/QHn24V5hErB4UVY+3WECnG/7NX0UV5eYka6UYV:WkWWGRC2eGB5Y+rZX/HK77

Score
9/10
evasionpersistenceransomwarespywarestealerupx

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40.exe
    "C:\Users\Admin\AppData\Local\Temp\28632077ab5107f5925ce6cf347060312015deffd1b8472e5b06e0c133f6ff40.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\SYSTEM32\CMD.exe
      CMD /C RD %TEMP% /S/Q & MKDIR %TEMP%
      2⤵
        PID:3068
      • C:\Windows\SYSTEM32\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
        • Adds Run key to start application
        PID:1972
      • C:\Windows\SYSTEM32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
        • Adds Run key to start application
        PID:2620
      • C:\Windows\SYSTEM32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
        • Adds Run key to start application
        PID:2604
      • C:\Windows\SYSTEM32\CMD.exe
        CMD /C %WINDIR%\sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
        2⤵
          PID:4156
        • C:\Windows\SYSTEM32\sc.exe
          sc delete syshost32
          2⤵
          • Launches sc.exe
          PID:2152
        • C:\Windows\SYSTEM32\taskkill.exe
          taskkill /f /im msiexec.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3708
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit /set TESTSIGNING OFF
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:4328
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
          2⤵
            PID:4868
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
            2⤵
              PID:1456
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe"
              2⤵
                PID:1396

            Network

            • flag-us
              DNS
              209.205.72.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              209.205.72.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              64.13.109.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              64.13.109.52.in-addr.arpa
              IN PTR
              Response
            • 52.152.110.14:443
              260 B
               5
            • 52.168.112.66:443
              322 B
               7
            • 52.152.110.14:443
              260 B
               5
            • 209.197.3.8:80
              322 B
               7
            • 173.223.113.164:443
              322 B
               7
            • 173.223.113.131:80
              322 B
               7
            • 204.79.197.203:80
              322 B
               7
            • 52.152.110.14:443
              260 B
               5
            • 52.152.110.14:443
              260 B
               5
            • 52.152.110.14:443
              260 B
               5
            • 52.152.110.14:443
              208 B
               4
            • 8.8.8.8:53
              209.205.72.20.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              209.205.72.20.in-addr.arpa

            • 8.8.8.8:53
              95.221.229.192.in-addr.arpa
              dns
              73 B
               144 B
               1
              1

              DNS Request

              95.221.229.192.in-addr.arpa

            • 8.8.8.8:53
              64.13.109.52.in-addr.arpa
              dns
              71 B
               145 B
               1
              1

              DNS Request

              64.13.109.52.in-addr.arpa

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4496-133-0x00007FF699890000-0x00007FF69A890000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4496-139-0x00007FF699890000-0x00007FF69A890000-memory.dmp

              Filesize

              16.0MB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.