Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0x002a0000...94.exe

windows7-x64

10

0x002a0000...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x002a00000000f66c-1394.exe

  • Size

    203KB

  • MD5

    0f6c959105b95ab977bf1539cfe7286a

  • SHA1

    834065fe82965a1d452dc85e0b6dba34cbf8e19a

  • SHA256

    52c0b7d7bda6a4ec4e97c7be75aa098c3399768478bf798034b1d3851d37b5a5

  • SHA512

    81b0dd7ad5e27d40747ce28dcad1850842ba653cb5d98f14baa33543671eb2d85b4c9d20863e331b90362ac6502c5526a5a550be88868f45566673387ace4cbc

  • SSDEEP

    6144:sLV6Bta6dtJmakIM5DPjoWNdOPgZpqS0J:sLV6Btpmk7EdOPQpG

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x002a00000000f66c-1394.exe
    "C:\Users\Admin\AppData\Local\Temp\0x002a00000000f66c-1394.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DOS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1612
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DOS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp80BA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp
    Filesize

    1KB

    MD5

    d376adb95e4dbeed9b3e42e3670747e4

    SHA1

    ab493fafb570e9c5ba0d0074f28c8ee27b44dfd8

    SHA256

    e1b519868da46cdddeaf034065a3ce42d48efd6cc4e94d53a95436d8637ed679

    SHA512

    4efaee890a09d7afd49b4df76e4d85f4c2b79188dee176251670ad521f022d2763135f9f2af544f92742081d313af6c5b6d7dbcf2c051333678ba54a71d92e24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp80BA.tmp
    Filesize

    1KB

    MD5

    b167179960db9fca3a7c0fa38c6f4cf7

    SHA1

    bd26271dc26fde6e47f87624100dc31c3e710226

    SHA256

    e8c60ac3403e13489278a82b5ece6bc092c27a69b6f5359275bc6b1c57bd1f13

    SHA512

    2d4a7bdab2e4a67ef6092f42b373a81f53800ff7772736cd2828d376159ddb4eebc29a3a12007fe70dc2c63712a9ac1a1a31a45b5d401a6fc01d4690dbbb75cc

    Download Submit

  • memory/4896-133-0x0000000075000000-0x00000000755B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4896-134-0x0000000075000000-0x00000000755B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4896-135-0x0000000000A70000-0x0000000000A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4896-143-0x0000000075000000-0x00000000755B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4896-144-0x0000000075000000-0x00000000755B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4896-145-0x0000000000A70000-0x0000000000A80000-memory.dmp

    Filesize

    64KB

    Download