Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

ed474e7b1a...5a.exe

windows7-x64

8

ed474e7b1a...5a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2023, 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe

  • Size

    274KB

  • MD5

    39bd4507e22dd521757969971a05a33b

  • SHA1

    1183e86495850692d5f012eb0181e9fc0acf2eae

  • SHA256

    ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a

  • SHA512

    b926ee636e3f85d170fec75549faf615f6218e4d2c3e87e38faa5707a020ee69b821a2557d88860d5f9604c9580d0cb4d155a5e986795a9488960244be5b5996

  • SSDEEP

    6144:bbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:bPcrfR6ZnOkx2LIa

Score
8/10
upxvmprotect

Malware Config

Signatures

  • Drops file in Drivers directory 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:596
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1020
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Users\Admin\AppData\Local\Temp\ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
        "C:\Users\Admin\AppData\Local\Temp\ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:1996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
      Filesize

      2KB

      MD5

      20a6c9ee4e457267adf58889fb1dd617

      SHA1

      6cb2beebd527ed5f77a13228f93eec7af88b822e

      SHA256

      45be093d2a1d3beb6db08a3e71cfba063736edd92a18302cf5f6fefc13bfab3b

      SHA512

      d4ff64a5b7af4119c739e605a1dc7710175090ae8363b2e73976bea8555e07e63380255a534b3389e61a3e7e6a1cc67b969e2f912d6978e45d39243455114e28

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      2a61a3d0f5beb7727441b0e010c30d7d

      SHA1

      2dc8b67f13196d3a658d79c9c575bf0a0b75da15

      SHA256

      8f97e861acd3950fde5361476dd989039edff251a00b7de4df84cbacfa629a0d

      SHA512

      d29a461cd7c4746015684c9213a72748d5440191b4b9f07209723e0b8e2b59f11cafe4b87acd123d2987ed1990d3204402f69b7f78f8607782c441efb307a12a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4
      Filesize

      599B

      MD5

      1cf46555b125f8cc867f47959d154a8f

      SHA1

      bb50ee9a070c5aa2c6eb8787d3cc2493f898a67e

      SHA256

      6229116ce9e3c490303c8c3e136280af7f790b1f89a3e908587e4152783c5b73

      SHA512

      cfdaa0fa8a2cf07483c07a4f9da5bf3b78a49bfc209505b674264ceafb7c08a78249dabd7114f366123b5a1fa227f8ddbabf4dfe903573bd4e539c5102f4f6ba

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
      Filesize

      484B

      MD5

      6491f63d9bca674fb59086b41a0d8d00

      SHA1

      3b7847268912cf2bb00d947866042878ed2a9363

      SHA256

      243f46ad82fbb0d3f376ec52819582523fc8b3480ac2819a2bc8cde72003f840

      SHA512

      b652139d47d4c9c43986191d8c129b078f73a7651b511de4ba36fa1aa791a90ec2ad84148bb6954846acf3d05535b401b43be74c1cc7ae2cc9262437411a236a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      cf18452fe138ec0f85d6c7364ab07f3f

      SHA1

      9c1fcce77f52100b4a1a4d2ecb80b0d049fc79f8

      SHA256

      adf1fe40a493b22412f0caa09754f90aa907d0c655c1be32bb9881bbd9cd2727

      SHA512

      b09a1537a7c7d40b076e96e0d70c8bb25848ec8e8dee5c9cfec93e8ab91af1d256fd3170ee4c39c231e9fc4b6437d34e4a35bedbc30f5ce9ade9814f4687e037

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4
      Filesize

      504B

      MD5

      801aa45435ea78d5ef42ec3b64ef335b

      SHA1

      2b5d43af57401c24e2925164be91364a0b1e1b41

      SHA256

      7959d8dbc977f737ce89dae4b79af5df26fe6ec277a6b9d29760aebf02573beb

      SHA512

      499a1e29a2ff81fe05bb8abf3f469d7ff05770fff122979b0d08102a5bb52e25f2be86a64dbd94ac425cbb9dce42731bb5ceb79d9482b16e41ba8d55f9c159e4

      Download Submit

    • C:\Windows\1cBk47pW7no.sys
      Filesize

      447KB

      MD5

      c067e740e28bca4a142e050bd7c99c3e

      SHA1

      c80f128d80e62680a229f3d148059098f6084459

      SHA256

      77d55bfb2ebb9cbe7a70a8f29aedb4faf8aa417fbb7e715e72844914e56b4c06

      SHA512

      d5e654534ac8720fc01f88ee4c62863d47994929b7401eebf7584e6d407d853132dae41f8a718acd5a9600735659aef00cdbf2a0bfeb0134b10a8ecf387c5659

      Download Submit

    • C:\Windows\B0N0TaDKYw.sys
      Filesize

      415KB

      MD5

      8bed3af00177017f96ed5ade4634ecd7

      SHA1

      1a5b72fc80c5114662fa2117a367007d9be87902

      SHA256

      f1b5069aa1ddac8955198606a044b7e504fc31bbe6b9ef959183bef18d324a09

      SHA512

      a97818f012d894b3bd7789973cb3e4d56de3b48c349a9ea206df90a35d1d6b2fc40bb628874c7b52b4599ced94963072c5aff62a398e2375ab6a9618f97c9b65

      Download Submit

    • C:\Windows\fauxD4FBLoy37g.sys
      Filesize

      447KB

      MD5

      d15f5f23df8036bd5089ce8d151b0e0d

      SHA1

      4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

      SHA256

      f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

      SHA512

      feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

      Download Submit

    • C:\Windows\uIV3YtATr12Lcl.sys
      Filesize

      415KB

      MD5

      64bc1983743c584a9ad09dacf12792e5

      SHA1

      0f14098f523d21f11129c4df09451413ddff6d61

      SHA256

      057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

      SHA512

      9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

      Download Submit

    • memory/596-37-0x000002A7B6F30000-0x000002A7B6F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/596-38-0x000002A7B6E10000-0x000002A7B6E38000-memory.dmp

      Filesize

      160KB

      Download

    • memory/596-35-0x000002A7B6E00000-0x000002A7B6E03000-memory.dmp

      Filesize

      12KB

      Download

    • memory/596-59-0x000002A7B6F30000-0x000002A7B6F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1020-202-0x0000028456FF0000-0x0000028456FF3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1020-209-0x0000028457010000-0x00000284570BF000-memory.dmp

      Filesize

      700KB

      Download

    • memory/1020-208-0x00000284570D0000-0x00000284570D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1020-205-0x0000028457010000-0x00000284570BF000-memory.dmp

      Filesize

      700KB

      Download

    • memory/1020-204-0x00000284570D0000-0x00000284570D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1020-203-0x0000028456FF0000-0x0000028456FF3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1976-39-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1976-56-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1976-0-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1976-22-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1976-3-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1976-7-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1976-19-0x00000000008D0000-0x000000000095C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/3228-70-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-74-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-33-0x0000000007110000-0x00000000071C1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/3228-32-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-30-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3228-29-0x0000000007110000-0x00000000071C1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/3228-190-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-191-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-192-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-28-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3228-26-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3228-76-0x0000000000B00000-0x0000000000B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-75-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-77-0x0000000008D30000-0x0000000008DDF000-memory.dmp

      Filesize

      700KB

      Download

    • memory/3228-71-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-199-0x0000000008D30000-0x0000000008DDF000-memory.dmp

      Filesize

      700KB

      Download

    • memory/3228-200-0x0000000000B00000-0x0000000000B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-72-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-201-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-73-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-31-0x00007FFA6C1F0000-0x00007FFA6C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3228-69-0x00007FFA6C1F0000-0x00007FFA6C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3228-207-0x0000000008DE0000-0x0000000008DE4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3228-206-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-58-0x0000000007110000-0x00000000071C1000-memory.dmp

      Filesize

      708KB

      Download

    • memory/3228-57-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3228-210-0x00007FF6D52B0000-0x00007FF6D52B1000-memory.dmp

      Filesize

      4KB

      Download