Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ca01598809...a2.exe

windows7-x64

10

ca01598809...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    260s
  • max time network
    315s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca0159880946930876b67a710d1874a42d22f06b6a249d1401903c60e45bd4a2.exe

  • Size

    612KB

  • MD5

    e0e44b630069919b9adf5b6eaf95067c

  • SHA1

    e35f6ff213917dc3b201196c7a07246fb1cb30ca

  • SHA256

    ca0159880946930876b67a710d1874a42d22f06b6a249d1401903c60e45bd4a2

  • SHA512

    810c751e7eb17adfa072a5f1eb4a25633784eb54cdbb4b0d1bc50a1d1f9f78c0779b106cdf44dba32db93c557f79a4b77830f9248ce648ebbeb6e193235eebb7

  • SSDEEP

    12288:hy90CWZBD6mUGsE2a/6qgxawZpJLwq2c7E2APbRS:hy3W/L2a/62KpJMaAPbRS

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca0159880946930876b67a710d1874a42d22f06b6a249d1401903c60e45bd4a2.exe
    "C:\Users\Admin\AppData\Local\Temp\ca0159880946930876b67a710d1874a42d22f06b6a249d1401903c60e45bd4a2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496071.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496071.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39728528.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39728528.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496071.exe
    Filesize

    457KB

    MD5

    fb797ba938b6a0c45fdd240ed58b3d8b

    SHA1

    816bd1de2f596f4f73ba0e4a00b9d68d8a36873f

    SHA256

    41131c7ee1910bbbd5574f608b8596493277db1b1ef0f76e35374b1d1329b320

    SHA512

    8be690eddf925bbc303e01ee58ab03c642bfafbe36fd545754f10efed7ee3cecfb51303529674e0f567b478f06e7fd3f2dbe8e821c333e1d0f39076f1b0252b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496071.exe
    Filesize

    457KB

    MD5

    fb797ba938b6a0c45fdd240ed58b3d8b

    SHA1

    816bd1de2f596f4f73ba0e4a00b9d68d8a36873f

    SHA256

    41131c7ee1910bbbd5574f608b8596493277db1b1ef0f76e35374b1d1329b320

    SHA512

    8be690eddf925bbc303e01ee58ab03c642bfafbe36fd545754f10efed7ee3cecfb51303529674e0f567b478f06e7fd3f2dbe8e821c333e1d0f39076f1b0252b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39728528.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39728528.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/3640-147-0x0000000000F50000-0x0000000000F5A000-memory.dmp

    Filesize

    40KB

    Download