Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://77.105.146.74...

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2023, 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://77.105.146.74/cc.exe

Score
10/10
collection

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3200
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://77.105.146.74/cc.exe
        2⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1364
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\cc.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\cc.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 972
            4⤵
            • Program crash
            PID:2952
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:2216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3496 -ip 3496
      1⤵
        PID:4776

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\cc[1].exe
        Filesize

        422KB

        MD5

        0799c0591bf96a12fccb55454110f365

        SHA1

        1f501f4f3e84827ddc78d16dfa17e07e1aabf1a7

        SHA256

        5e90329c9567efb357eac028e0b3612fb960198c849ac1f314182b4849e4a308

        SHA512

        49065e9843951acbaed1bb3f703444c69ff79fefddec8488526a4b2fd150da4bff75d3adfebe5620a6bb648a7c17f52ee5ad2fcba24f9960550cd7554749df16

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\cc.exe
        Filesize

        422KB

        MD5

        0799c0591bf96a12fccb55454110f365

        SHA1

        1f501f4f3e84827ddc78d16dfa17e07e1aabf1a7

        SHA256

        5e90329c9567efb357eac028e0b3612fb960198c849ac1f314182b4849e4a308

        SHA512

        49065e9843951acbaed1bb3f703444c69ff79fefddec8488526a4b2fd150da4bff75d3adfebe5620a6bb648a7c17f52ee5ad2fcba24f9960550cd7554749df16

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\cc.exe.mlu05kh.partial
        Filesize

        422KB

        MD5

        0799c0591bf96a12fccb55454110f365

        SHA1

        1f501f4f3e84827ddc78d16dfa17e07e1aabf1a7

        SHA256

        5e90329c9567efb357eac028e0b3612fb960198c849ac1f314182b4849e4a308

        SHA512

        49065e9843951acbaed1bb3f703444c69ff79fefddec8488526a4b2fd150da4bff75d3adfebe5620a6bb648a7c17f52ee5ad2fcba24f9960550cd7554749df16

        Download Submit

      • memory/2216-178-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-180-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-185-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-184-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-148-0x0000020C164D0000-0x0000020C164D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2216-183-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-182-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-181-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-177-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-172-0x0000020C164D0000-0x0000020C164D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2216-173-0x0000020C16640000-0x0000020C16647000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2216-174-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-175-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2216-176-0x00007FF4EE720000-0x00007FF4EE84D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3496-158-0x0000000000400000-0x00000000004E0000-memory.dmp

        Filesize

        896KB

        Download

      • memory/3496-144-0x0000000002130000-0x00000000021A1000-memory.dmp

        Filesize

        452KB

        Download

      • memory/3496-145-0x0000000000660000-0x0000000000667000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3496-156-0x00000000030B0000-0x00000000030E6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3496-150-0x00000000030B0000-0x00000000030E6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3496-149-0x0000000000400000-0x00000000004E0000-memory.dmp

        Filesize

        896KB

        Download

      • memory/3496-147-0x0000000002280000-0x0000000002680000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3496-146-0x0000000002280000-0x0000000002680000-memory.dmp

        Filesize

        4.0MB

        Download