Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8be53871f6...80.exe

windows7-x64

7

8be53871f6...80.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/08/2023, 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8be53871f6ee10795c892f5a1274b30608e7b3e8b722bc6d88484f49cfd8f580.exe

  • Size

    3.2MB

  • MD5

    787db21989a9b6a297a53c33bd8827d4

  • SHA1

    14c3a0d5fa7ebf062a729140d2f8c97e647c4ff3

  • SHA256

    8be53871f6ee10795c892f5a1274b30608e7b3e8b722bc6d88484f49cfd8f580

  • SHA512

    36c5105cae3c08ad044d8e8b06742a8f99b6ad24bc3b0f6f62104a771346263e95759d257525745690b203331ff278226c121a737d4348c4c986ab9a6b941d52

  • SSDEEP

    49152:3BFsVkDH/AEeB4IFlBgcO8Ipc8dOjYAZ3oHrj/i6jbY:RS+DH/AEe2IFlBgcIpc8dOsI3QJj8

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8be53871f6ee10795c892f5a1274b30608e7b3e8b722bc6d88484f49cfd8f580.exe
    "C:\Users\Admin\AppData\Local\Temp\8be53871f6ee10795c892f5a1274b30608e7b3e8b722bc6d88484f49cfd8f580.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\cmd.exe
      "C:\Windows\cmd.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Windows\csrss.exe
        "C:\Windows\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:1748
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\cmd.exe
      Filesize

      808KB

      MD5

      d5f5f0ebb134ca0c67ab60c659a1ae41

      SHA1

      529dd9fbb43659279d083862c0208c7d883d72cf

      SHA256

      598fafb86d687aafc0db520f2534fff2cc449366e0a4a5858f4fc050f4940740

      SHA512

      439a10d432aaaf40d53ffbdf60817cacae4c3518adc7d4ad8be947f90f19c50acbf6bac5a018d063441fd79af02ddd68c65f8fc496d8a81afdd002df478cb96c

      Download Submit

    • C:\Windows\cmd.exe
      Filesize

      808KB

      MD5

      d5f5f0ebb134ca0c67ab60c659a1ae41

      SHA1

      529dd9fbb43659279d083862c0208c7d883d72cf

      SHA256

      598fafb86d687aafc0db520f2534fff2cc449366e0a4a5858f4fc050f4940740

      SHA512

      439a10d432aaaf40d53ffbdf60817cacae4c3518adc7d4ad8be947f90f19c50acbf6bac5a018d063441fd79af02ddd68c65f8fc496d8a81afdd002df478cb96c

      Download Submit

    • C:\Windows\cmd.exe
      Filesize

      808KB

      MD5

      d5f5f0ebb134ca0c67ab60c659a1ae41

      SHA1

      529dd9fbb43659279d083862c0208c7d883d72cf

      SHA256

      598fafb86d687aafc0db520f2534fff2cc449366e0a4a5858f4fc050f4940740

      SHA512

      439a10d432aaaf40d53ffbdf60817cacae4c3518adc7d4ad8be947f90f19c50acbf6bac5a018d063441fd79af02ddd68c65f8fc496d8a81afdd002df478cb96c

      Download Submit

    • C:\Windows\csrss.exe
      Filesize

      6KB

      MD5

      b58a5bc5705e66b3fdaeba17e346ffe6

      SHA1

      b3ba09b9625096119a28ba979e1cafb7be769786

      SHA256

      55f1c3dc84b498fc3bbf05d80e23cb168716053989f922d4dcf53c9279fc66cb

      SHA512

      1343e67cee9cd1ad746d12d41ae1c9a3e98d19b728491c4e813e8cfa708e5978557e3f206c921955538a6af60246e6ea8b4349d5c62289442cbb61c3d255456f

      Download Submit

    • C:\Windows\csrss.exe
      Filesize

      6KB

      MD5

      b58a5bc5705e66b3fdaeba17e346ffe6

      SHA1

      b3ba09b9625096119a28ba979e1cafb7be769786

      SHA256

      55f1c3dc84b498fc3bbf05d80e23cb168716053989f922d4dcf53c9279fc66cb

      SHA512

      1343e67cee9cd1ad746d12d41ae1c9a3e98d19b728491c4e813e8cfa708e5978557e3f206c921955538a6af60246e6ea8b4349d5c62289442cbb61c3d255456f

      Download Submit

    • C:\Windows\csrss.exe
      Filesize

      6KB

      MD5

      b58a5bc5705e66b3fdaeba17e346ffe6

      SHA1

      b3ba09b9625096119a28ba979e1cafb7be769786

      SHA256

      55f1c3dc84b498fc3bbf05d80e23cb168716053989f922d4dcf53c9279fc66cb

      SHA512

      1343e67cee9cd1ad746d12d41ae1c9a3e98d19b728491c4e813e8cfa708e5978557e3f206c921955538a6af60246e6ea8b4349d5c62289442cbb61c3d255456f

      Download Submit

    • memory/1748-18-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1748-20-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download