Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2023, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    08bd9f40d1e009c3ea0475aed29e597a

  • SHA1

    93eb930b3b54dce404916daa9d7761aa7f23bc4e

  • SHA256

    f0f756cdd6211e7ccaa203844abf95f2993dd2c1033fde42f5e17ba10adb67e6

  • SHA512

    ccc43b7355cf1f0d25ad7dddfde189e7d288e489921ee520861a12921ed2a9b12438a28f86bc14c6c69902ebd6d73e3d0db3ad63a2954ca1f7960d74eb56fe92

  • SSDEEP

    49152:3JfC7C2mJOTXP3NWpItn+id8pq+Z6Q2Xr7oX1f00/gZv+1X2J+lX:7XTU+1X2JG

Score
7/10

Malware Config

Signatures

  • .NET Reactor proctector 5 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5977.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1916
      • C:\ProgramData\Timeupper\HVPIO.exe
        "C:\ProgramData\Timeupper\HVPIO.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1252
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HVPIO" /tr "C:\ProgramData\Timeupper\HVPIO.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:936
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HVPIO" /tr "C:\ProgramData\Timeupper\HVPIO.exe"
            5⤵
            • Creates scheduled task(s)
            PID:1876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Timeupper\HVPIO.exe
    Filesize

    502.6MB

    MD5

    2916de9610771808a3e1741b6026b9e4

    SHA1

    73188d8fd890b3f03889b36304ab9bd507047b18

    SHA256

    9cb62e0e29e68d64b36fa810a7e722aa627b9c53fb7037a1b6a51a40351caff2

    SHA512

    bdc3f8947cbe7c470d49e0a6eff3eff7d0e2d46a152d5416be738650db5ab0d0c47c8e0615167e96ef348ee9fcbb3814fe6d73743a38ca0e7970e6ab4c7a0616

    Download Submit

  • C:\ProgramData\Timeupper\HVPIO.exe
    Filesize

    640.8MB

    MD5

    f2202892d8db9ab7bbba72618ee041d4

    SHA1

    181f4a199c529bc39b05714c8cbd25432e73dc12

    SHA256

    081d7cf634987957989c12a227bc5a149585a7bab48d51bb0f1ded92f2c63d85

    SHA512

    7f503e9fe87b68181ef513462699248d98a09ccf2fab9cc65c7cbf0150aae88074ff72502374442b39ebd41825a6036a271e55377007209b738c5ad9443e7185

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5977.tmp.bat
    Filesize

    143B

    MD5

    be77b49629f107b7459877fd35295b7f

    SHA1

    db8670f629e480a12b1ec93cb961cca0a666d87f

    SHA256

    70e945415a532b9f115f4ddfad8ab4650ad57b437cf9d18caabdaa8c0dd7f819

    SHA512

    19bbbbaa3bbceda10849f01ed70ea878109a7757facee7acce0f05918eeb438866cc4fa33527073173e5b0836344db2f00279d3744dc253be3fa63395f1bb0b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5977.tmp.bat
    Filesize

    143B

    MD5

    be77b49629f107b7459877fd35295b7f

    SHA1

    db8670f629e480a12b1ec93cb961cca0a666d87f

    SHA256

    70e945415a532b9f115f4ddfad8ab4650ad57b437cf9d18caabdaa8c0dd7f819

    SHA512

    19bbbbaa3bbceda10849f01ed70ea878109a7757facee7acce0f05918eeb438866cc4fa33527073173e5b0836344db2f00279d3744dc253be3fa63395f1bb0b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b9b124dcf39fb4a05071519b283063b8

    SHA1

    491d45f05f4c3867cc11db2aa8c75a6d3a021818

    SHA256

    26349643de2e67297a0c85ff5740eed7dab5f9f27528f7da0ba62bcd99d48d6b

    SHA512

    53c0ae24e1a28df4abf4fc167c6c42bf101251310406e6bd256fdddfa8cb45732986b92a02748cb40a624bde386bf62ae27c8d4d09530ef202d604a7205d761b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b9b124dcf39fb4a05071519b283063b8

    SHA1

    491d45f05f4c3867cc11db2aa8c75a6d3a021818

    SHA256

    26349643de2e67297a0c85ff5740eed7dab5f9f27528f7da0ba62bcd99d48d6b

    SHA512

    53c0ae24e1a28df4abf4fc167c6c42bf101251310406e6bd256fdddfa8cb45732986b92a02748cb40a624bde386bf62ae27c8d4d09530ef202d604a7205d761b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b9b124dcf39fb4a05071519b283063b8

    SHA1

    491d45f05f4c3867cc11db2aa8c75a6d3a021818

    SHA256

    26349643de2e67297a0c85ff5740eed7dab5f9f27528f7da0ba62bcd99d48d6b

    SHA512

    53c0ae24e1a28df4abf4fc167c6c42bf101251310406e6bd256fdddfa8cb45732986b92a02748cb40a624bde386bf62ae27c8d4d09530ef202d604a7205d761b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUJGJXI0WVUOVFFZ7BGU.temp
    Filesize

    7KB

    MD5

    b9b124dcf39fb4a05071519b283063b8

    SHA1

    491d45f05f4c3867cc11db2aa8c75a6d3a021818

    SHA256

    26349643de2e67297a0c85ff5740eed7dab5f9f27528f7da0ba62bcd99d48d6b

    SHA512

    53c0ae24e1a28df4abf4fc167c6c42bf101251310406e6bd256fdddfa8cb45732986b92a02748cb40a624bde386bf62ae27c8d4d09530ef202d604a7205d761b

    Download Submit

  • \ProgramData\Timeupper\HVPIO.exe
    Filesize

    569.3MB

    MD5

    0538facb32c05aa3ef9b969337e9206c

    SHA1

    e5842752015e0f8627a1d387d5a98c0bbf15c22d

    SHA256

    710b6becf64161aa8a8da1ad6ced48d76332470c783eafec44c315dc210fc17d

    SHA512

    44d6b20ae46088d03ccf77fd2b9c4aa1f74a65ed72eee0467f2524ebb4aa532d0c71f4c59071d93b747b6a7ca97fa7b963c4cc39e9f3b96412849215483d8d4f

    Download Submit

  • memory/540-72-0x000000000289B000-0x00000000028D2000-memory.dmp

    Filesize

    220KB

    Download

  • memory/540-71-0x0000000002894000-0x0000000002897000-memory.dmp

    Filesize

    12KB

    Download

  • memory/764-70-0x000000000235B000-0x0000000002392000-memory.dmp

    Filesize

    220KB

    Download

  • memory/764-69-0x0000000002354000-0x0000000002357000-memory.dmp

    Filesize

    12KB

    Download

  • memory/764-68-0x0000000002310000-0x0000000002318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/764-67-0x000000001B190000-0x000000001B472000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1252-103-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-113-0x00000000027D0000-0x0000000002850000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1252-110-0x00000000027D0000-0x0000000002850000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1252-108-0x00000000027D0000-0x0000000002850000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1252-109-0x00000000027D0000-0x0000000002850000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1252-107-0x00000000027D0000-0x0000000002850000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1636-89-0x000000001C1B0000-0x000000001C230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1636-90-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1636-88-0x0000000001090000-0x000000000125C000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1636-112-0x000000001C1B0000-0x000000001C230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1684-102-0x000000001B200000-0x000000001B4E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1684-106-0x0000000002440000-0x00000000024C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1684-111-0x000000000244B000-0x0000000002482000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2036-55-0x000000001BFF0000-0x000000001C070000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2036-56-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2036-73-0x000000001BFF0000-0x000000001C070000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2036-54-0x0000000000C70000-0x0000000000E3C000-memory.dmp

    Filesize

    1.8MB

    Download