Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

Alinti Yapmak.exe

windows7-x64

6

Alinti Yapmak.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2023, 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Alinti Yapmak.exe

  • Size

    842KB

  • MD5

    1ad8b3d6f611ff6586cf58c28c83470b

  • SHA1

    34f243e0376a686bc3a8873636c6de5f032669fd

  • SHA256

    c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf

  • SHA512

    c624e0e1f57b082b45ea566f2cb4507ea93864a5b9c0d7ba9d73602f3743757594fc00fada4b840589793690ec0475856a853faef7066462dad545cc23653f99

  • SSDEEP

    6144:SCAU2a4IKdnc/8rFKd1JtwM3QxgUPWqikY6nnHKIILsoyhASZT6BW7uzElqNP/Qo:ku90cVYbKBsE7KYJamuf4vcfKKGqCn+C

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Alinti Yapmak.exe
    "C:\Users\Admin\AppData\Local\Temp\Alinti Yapmak.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Connections" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\connections.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 36
        3⤵
        • Runs ping.exe
        PID:1720
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Connections" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\connections.exe"
        3⤵
        • Adds Run key to start application
        PID:5116
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Alinti Yapmak.exe" "C:\Users\Admin\AppData\Roaming\connections.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\Admin\AppData\Roaming\connections.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 49
        3⤵
        • Runs ping.exe
        PID:5036
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 49
        3⤵
        • Runs ping.exe
        PID:3200
      • C:\Users\Admin\AppData\Roaming\connections.exe
        "C:\Users\Admin\AppData\Roaming\connections.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\connections.exe
    Filesize

    842KB

    MD5

    1ad8b3d6f611ff6586cf58c28c83470b

    SHA1

    34f243e0376a686bc3a8873636c6de5f032669fd

    SHA256

    c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf

    SHA512

    c624e0e1f57b082b45ea566f2cb4507ea93864a5b9c0d7ba9d73602f3743757594fc00fada4b840589793690ec0475856a853faef7066462dad545cc23653f99

    Download Submit

  • C:\Users\Admin\AppData\Roaming\connections.exe
    Filesize

    842KB

    MD5

    1ad8b3d6f611ff6586cf58c28c83470b

    SHA1

    34f243e0376a686bc3a8873636c6de5f032669fd

    SHA256

    c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf

    SHA512

    c624e0e1f57b082b45ea566f2cb4507ea93864a5b9c0d7ba9d73602f3743757594fc00fada4b840589793690ec0475856a853faef7066462dad545cc23653f99

    Download Submit

  • memory/1020-152-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-151-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-150-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-149-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-148-0x0000000000A00000-0x0000000000AD4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1652-137-0x0000000005A10000-0x0000000005A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1652-141-0x0000000005A10000-0x0000000005A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1652-140-0x0000000005A10000-0x0000000005A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1652-139-0x0000000005A10000-0x0000000005A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1652-138-0x0000000005A00000-0x0000000005A0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1652-133-0x0000000000370000-0x0000000000444000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1652-136-0x0000000005AC0000-0x0000000005B52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1652-135-0x0000000005FD0000-0x0000000006574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1652-134-0x0000000005830000-0x00000000058CC000-memory.dmp

    Filesize

    624KB

    Download