Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

d97b464631...8d.exe

windows7-x64

8

d97b464631...8d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2023, 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d97b4646318bb9f0e451a5f9c7ec1c94ad1ec688e15f47ed95882b0498c7128d.exe

  • Size

    3.0MB

  • MD5

    36b8caffad1fd3c6ce6e3f3037f3ce89

  • SHA1

    c4799b5bdc1adb5ccc66cecc3eda2e0d39c02e34

  • SHA256

    d97b4646318bb9f0e451a5f9c7ec1c94ad1ec688e15f47ed95882b0498c7128d

  • SHA512

    341380a31d0aa845d2420bba64f385fa50a67bd31ceb79b03115ab3b45cfab2e1347375140b1016c0de304618999f1c319871500c407be37f54ce85595969a68

  • SSDEEP

    49152:MTGkQm5QZuTtS0rQMYOQ+q8CEwTG4QiTGHQI9KFeM7:MKkZWsM0r1QnXK4HKHP0Fee

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 56 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\d97b4646318bb9f0e451a5f9c7ec1c94ad1ec688e15f47ed95882b0498c7128d.exe
        "C:\Users\Admin\AppData\Local\Temp\d97b4646318bb9f0e451a5f9c7ec1c94ad1ec688e15f47ed95882b0498c7128d.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d97b4646318bb9f0e451a5f9c7ec1c94ad1ec688e15f47ed95882b0498c7128d.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2956
      • C:\Windows\Logs\ndadmin.exe
        "C:\Windows\Logs\ndadmin.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2840
    • C:\Windows\Syswow64\31d3fea1
      C:\Windows\Syswow64\31d3fea1
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\31d3fea1"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:2020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab5B3A.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Windows\Logs\ndadmin.exe
      Filesize

      73KB

      MD5

      9591977284a1e8acf240c96940bf94b9

      SHA1

      14235b0379e27e2a2c23e18c161a0efbd19053d0

      SHA256

      01dc74b6bdcfea76f6b2977923c21b14918736b5477dd17bf91f08e5f581563f

      SHA512

      ef351abf9da0220139f80e2da36f37271efc11f4858f3c3686c501bac81015f09390b1848412fb5974b620419accbd68f9952bfe97d5668f1730e37d3341c1be

      Download Submit

    • C:\Windows\SysWOW64\31d3fea1
      Filesize

      3.0MB

      MD5

      5727834a0edf30d2a5778fc6370eafd9

      SHA1

      a6fb3586a0af28a452fcac8b3257f8b00a821de0

      SHA256

      2b50e64961ff98f2b22d6e4c463a6064fe356def85b65e8f135110b4e6c31ed1

      SHA512

      654296564c03d5e2e55b4d7a7c31f18e9a54ff3be83b52c639d99176280692ac2ede5f3f49689d069c96068f060e30ddef7e50bb59720d286edd1e71c4857f8d

      Download Submit

    • C:\Windows\Syswow64\31d3fea1
      Filesize

      3.0MB

      MD5

      5727834a0edf30d2a5778fc6370eafd9

      SHA1

      a6fb3586a0af28a452fcac8b3257f8b00a821de0

      SHA256

      2b50e64961ff98f2b22d6e4c463a6064fe356def85b65e8f135110b4e6c31ed1

      SHA512

      654296564c03d5e2e55b4d7a7c31f18e9a54ff3be83b52c639d99176280692ac2ede5f3f49689d069c96068f060e30ddef7e50bb59720d286edd1e71c4857f8d

      Download Submit

    • C:\Windows\Temp\Tar6339.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • \Windows\Logs\ndadmin.exe
      Filesize

      73KB

      MD5

      9591977284a1e8acf240c96940bf94b9

      SHA1

      14235b0379e27e2a2c23e18c161a0efbd19053d0

      SHA256

      01dc74b6bdcfea76f6b2977923c21b14918736b5477dd17bf91f08e5f581563f

      SHA512

      ef351abf9da0220139f80e2da36f37271efc11f4858f3c3686c501bac81015f09390b1848412fb5974b620419accbd68f9952bfe97d5668f1730e37d3341c1be

      Download Submit

    • memory/420-50-0x0000000000910000-0x0000000000938000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1244-145-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-126-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-162-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-161-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-26-0x0000000006370000-0x0000000006467000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1244-139-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-160-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-159-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-157-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-130-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-158-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-25-0x0000000002BC0000-0x0000000002BC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1244-138-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-23-0x0000000002BC0000-0x0000000002BC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1244-156-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-155-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-92-0x0000000006370000-0x0000000006467000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1244-154-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-21-0x0000000002BC0000-0x0000000002BC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1244-153-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-152-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-151-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-150-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-149-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-148-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-147-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-146-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-137-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-144-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-143-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-122-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-123-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-124-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-125-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-140-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-127-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-142-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-128-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-141-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-131-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-132-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-133-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-134-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-135-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1244-136-0x0000000002B80000-0x0000000002B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1728-0-0x0000000000850000-0x00000000008D9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1728-51-0x0000000000850000-0x00000000008D9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1728-41-0x0000000000850000-0x00000000008D9000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2712-110-0x0000000000A80000-0x0000000000B09000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2712-3-0x0000000000A80000-0x0000000000B09000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2712-45-0x0000000000A80000-0x0000000000B09000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2712-74-0x0000000000A80000-0x0000000000B09000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2840-116-0x00000000039B0000-0x0000000003A50000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2840-90-0x0000000037BC0000-0x0000000037BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2840-117-0x0000000000570000-0x000000000057F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2840-46-0x000007FEBFD80000-0x000007FEBFD90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2840-120-0x0000000000550000-0x0000000000555000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2840-114-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-113-0x0000000000410000-0x00000000004DB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2840-112-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-111-0x0000000000410000-0x00000000004DB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2840-129-0x0000000001DB0000-0x0000000001DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2840-93-0x0000000000910000-0x0000000000938000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2840-118-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-119-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-43-0x0000000000410000-0x00000000004DB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2840-47-0x0000000000410000-0x00000000004DB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2840-30-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2840-42-0x0000000000410000-0x00000000004DB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2840-37-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2840-32-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-176-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-177-0x00000000039B0000-0x0000000003A50000-memory.dmp

      Filesize

      640KB

      Download