Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

b0fedb7668...a3.exe

windows7-x64

8

b0fedb7668...a3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2023, 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe

  • Size

    2.2MB

  • MD5

    b3467c8b5213819e2ad34af30e71181a

  • SHA1

    ebf6364595dfce80dd3ba7446c57cfa51c6937ff

  • SHA256

    b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3

  • SHA512

    e1cf0e2cfd37060b1d0ac62dd06d53450c9c0b2bd2554701a9711e8127caf79d12c5104ecb28dab98f25828c2f71d6f371530aef23cf4b270d0014282c4bbaec

  • SSDEEP

    49152:HAlOjWOD9W0HqCKCHaGDV4XYjzEDrih+YVdypy:gECOD9W3waq4XYHESC

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe
    "C:\Users\Admin\AppData\Local\Temp\b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.exe
      "C:\ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.exe
    Filesize

    464KB

    MD5

    8fb40825d6a7ab6615807dbda6c62a62

    SHA1

    77c2a29b457dcb392f1ae1aa4d82cee152629f35

    SHA256

    245bf5a58ec5d3dcc34c3d8ecb1dfa996aaff66c26a74eae76c80aacc93e54d1

    SHA512

    1f0b7d2ceb14cecde1dab2310ad42d882804b20930a4e686619d3f6ea86466bbe79b9eabff0e0f513c85dadd16eed22f39cd8f1cedc3763a6900ed59e126ac6b

    Download Submit

  • C:\ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.exe
    Filesize

    464KB

    MD5

    8fb40825d6a7ab6615807dbda6c62a62

    SHA1

    77c2a29b457dcb392f1ae1aa4d82cee152629f35

    SHA256

    245bf5a58ec5d3dcc34c3d8ecb1dfa996aaff66c26a74eae76c80aacc93e54d1

    SHA512

    1f0b7d2ceb14cecde1dab2310ad42d882804b20930a4e686619d3f6ea86466bbe79b9eabff0e0f513c85dadd16eed22f39cd8f1cedc3763a6900ed59e126ac6b

    Download Submit

  • C:\ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.txt
    Filesize

    964B

    MD5

    1ed853dd4d72ca84c5d6f725dd6aa2fe

    SHA1

    9f08f7cb81398796a93b63334de270359e1a72b1

    SHA256

    8ec75a696fc3c831856953783cbb235a5d65157128b0a0fb08e06f50e2f11a5f

    SHA512

    2cde9d9471b4886fc891b5de8a230a6d046a057117f41a389c4048d2b1c5982b09a7f3df33256c4ec468482eb7a1f137c7e7c88dfe7bb99c331737bc6f19cc5b

    Download Submit

  • C:\ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.txt
    Filesize

    964B

    MD5

    1ed853dd4d72ca84c5d6f725dd6aa2fe

    SHA1

    9f08f7cb81398796a93b63334de270359e1a72b1

    SHA256

    8ec75a696fc3c831856953783cbb235a5d65157128b0a0fb08e06f50e2f11a5f

    SHA512

    2cde9d9471b4886fc891b5de8a230a6d046a057117f41a389c4048d2b1c5982b09a7f3df33256c4ec468482eb7a1f137c7e7c88dfe7bb99c331737bc6f19cc5b

    Download Submit

  • C:\ProgramData\q79azm837p69z0j53xywc0\Rainmeter.dll
    Filesize

    1.0MB

    MD5

    ff9b42cc7b4edf7c011ef2b95e6e288d

    SHA1

    cf71cb056ecdf0e2e30a9fa4aecc5767dc9de045

    SHA256

    d9ea65e35de4020a37a73373b68b6bd2191e1169ce38a308d50d932930a9991a

    SHA512

    ba24d3dd068eae91203c43afdf7042076bb39d3c2c08ec15e4be315ac3e00207593ce56ed25f36def7d6c871039e6310d3c4824a6babbe96cfc19ee0fc80c04f

    Download Submit

  • \ProgramData\q79azm837p69z0j53xywc0\4w3bp8y4djjp.exe
    Filesize

    464KB

    MD5

    8fb40825d6a7ab6615807dbda6c62a62

    SHA1

    77c2a29b457dcb392f1ae1aa4d82cee152629f35

    SHA256

    245bf5a58ec5d3dcc34c3d8ecb1dfa996aaff66c26a74eae76c80aacc93e54d1

    SHA512

    1f0b7d2ceb14cecde1dab2310ad42d882804b20930a4e686619d3f6ea86466bbe79b9eabff0e0f513c85dadd16eed22f39cd8f1cedc3763a6900ed59e126ac6b

    Download Submit

  • \ProgramData\q79azm837p69z0j53xywc0\rainmeter.dll
    Filesize

    1.0MB

    MD5

    ff9b42cc7b4edf7c011ef2b95e6e288d

    SHA1

    cf71cb056ecdf0e2e30a9fa4aecc5767dc9de045

    SHA256

    d9ea65e35de4020a37a73373b68b6bd2191e1169ce38a308d50d932930a9991a

    SHA512

    ba24d3dd068eae91203c43afdf7042076bb39d3c2c08ec15e4be315ac3e00207593ce56ed25f36def7d6c871039e6310d3c4824a6babbe96cfc19ee0fc80c04f

    Download Submit

  • memory/2420-12-0x0000000002000000-0x00000000020E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2420-28-0x0000000003160000-0x00000000031B2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2420-14-0x00000000038D0000-0x0000000003AFB000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2420-16-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-17-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-9-0x0000000002000000-0x00000000020E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2420-22-0x0000000003D10000-0x0000000003E04000-memory.dmp

    Filesize

    976KB

    Download

  • memory/2420-21-0x0000000002620000-0x0000000002684000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2420-24-0x00000000034E0000-0x000000000359F000-memory.dmp

    Filesize

    764KB

    Download

  • memory/2420-26-0x00000000044F0000-0x000000000466B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2420-25-0x00000000044F0000-0x000000000466B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2420-13-0x0000000002000000-0x00000000020E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2420-29-0x00000000038D0000-0x0000000003AFB000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2420-31-0x00000000038D0000-0x0000000003AFB000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2420-10-0x0000000002000000-0x00000000020E9000-memory.dmp

    Filesize

    932KB

    Download

  • memory/2420-37-0x0000000002620000-0x0000000002684000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2420-38-0x0000000003D10000-0x0000000003E04000-memory.dmp

    Filesize

    976KB

    Download

  • memory/2420-40-0x00000000034E0000-0x000000000359F000-memory.dmp

    Filesize

    764KB

    Download

  • memory/2420-43-0x00000000044F0000-0x000000000466B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2420-45-0x0000000003160000-0x00000000031B2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2420-59-0x0000000003160000-0x00000000031B2000-memory.dmp

    Filesize

    328KB

    Download