Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

18a333f048...61.exe

windows7-x64

8

18a333f048...61.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/10/2023, 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18a333f048ee9d4b2d4113e10e51f0768520910d5c0ee59d4772c8cf79151061.exe

  • Size

    70KB

  • MD5

    8fd329d690e0187aa4663e46c01d7e63

  • SHA1

    50fa42f9d544710f4db75fffd39e1636fc224944

  • SHA256

    18a333f048ee9d4b2d4113e10e51f0768520910d5c0ee59d4772c8cf79151061

  • SHA512

    3cc0ec5301b7dfa10d6fee9d9a4474b01c35b745ed0e9b93d59d005abe5239e465f51364ca259403dd63bb1c57677d5114fe56ef50f7a6aea7d1ed5498e5ac22

  • SSDEEP

    1536:5L5lxcQxgr9BcXzfGQz0/m4QdQiWC378JztYtfBpf4p7WtX4:blSQxgr9eXzd4/mxKIm+t3JI

Score
8/10
aspackv2bootkitpersistencespywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18a333f048ee9d4b2d4113e10e51f0768520910d5c0ee59d4772c8cf79151061.exe
    "C:\Users\Admin\AppData\Local\Temp\18a333f048ee9d4b2d4113e10e51f0768520910d5c0ee59d4772c8cf79151061.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&c:\wbsztfaqj.exe "C:\Users\Admin\AppData\Local\Temp\18a333f048ee9d4b2d4113e10e51f0768520910d5c0ee59d4772c8cf79151061.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3668
      • \??\c:\wbsztfaqj.exe
        c:\wbsztfaqj.exe "C:\Users\Admin\AppData\Local\Temp\18a333f048ee9d4b2d4113e10e51f0768520910d5c0ee59d4772c8cf79151061.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4488
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\eitnl\ehqrq.dll",GetWindowClass c:\wbsztfaqj.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\eitnl\ehqrq.dll
    Filesize

    46KB

    MD5

    a3fd41430ddcaa55fde840788925406a

    SHA1

    dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2

    SHA256

    f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9

    SHA512

    23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

    Download Submit

  • C:\wbsztfaqj.exe
    Filesize

    70KB

    MD5

    f6b1884b9e1b9aea0555ed1c20c55d3b

    SHA1

    1bfd5fbe1d015998a512ff06dca72a0cdb0c3c86

    SHA256

    b24408ba30a2697818c77e74dbd539d4826429c7a562781a8fb8708836d90824

    SHA512

    52ddd6247c2913c99d5ebc357f2d414a156c5780803f02a836cf2a7afd667539ac00cdf155625db7d76c7764c190775aab26af97b2a4968a4caeb269492bd967

    Download Submit

  • \??\c:\eitnl\ehqrq.dll
    Filesize

    46KB

    MD5

    a3fd41430ddcaa55fde840788925406a

    SHA1

    dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2

    SHA256

    f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9

    SHA512

    23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

    Download Submit

  • \??\c:\wbsztfaqj.exe
    Filesize

    70KB

    MD5

    f6b1884b9e1b9aea0555ed1c20c55d3b

    SHA1

    1bfd5fbe1d015998a512ff06dca72a0cdb0c3c86

    SHA256

    b24408ba30a2697818c77e74dbd539d4826429c7a562781a8fb8708836d90824

    SHA512

    52ddd6247c2913c99d5ebc357f2d414a156c5780803f02a836cf2a7afd667539ac00cdf155625db7d76c7764c190775aab26af97b2a4968a4caeb269492bd967

    Download Submit

  • memory/1320-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1320-2-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1672-10-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1672-11-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1672-12-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4488-7-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download