Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c3cd752cc8...43.exe

windows7-x64

7

c3cd752cc8...43.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3cd752cc8c2a83189d4f05cd0bdeef6b8252fb7b2223336af6296dacbacee43.exe

  • Size

    192KB

  • MD5

    712178dd39c6381a5c36c23658dcaad4

  • SHA1

    e00af9b1f82cf038b2596e3e35171b6cb5393e59

  • SHA256

    c3cd752cc8c2a83189d4f05cd0bdeef6b8252fb7b2223336af6296dacbacee43

  • SHA512

    9e7ad4d633c665b831ed7619bcad95a04debec4d05f31bcb3136f31474b802113b10306c2b4be3427eef0e9542b60fef58c7c3d5c25d0bc13cbac0d29f7147f7

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOY:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXR

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3cd752cc8c2a83189d4f05cd0bdeef6b8252fb7b2223336af6296dacbacee43.exe
    "C:\Users\Admin\AppData\Local\Temp\c3cd752cc8c2a83189d4f05cd0bdeef6b8252fb7b2223336af6296dacbacee43.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C3CD75~1.EXE > nul
      2⤵
        PID:3132
    • C:\Windows\Debug\nkmhost.exe
      C:\Windows\Debug\nkmhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:3216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\nkmhost.exe
      Filesize

      192KB

      MD5

      ebdf6d9d2932e9fa30cab77ac2d5b4c3

      SHA1

      285f94be965b03086991b19522569ec488cbf147

      SHA256

      0061ce496e76bd1e398cf6ed3e60d591aabd093cebc100307061260b1437b94e

      SHA512

      9ffd3d3fdd84e550697b85a4b7a09050f04c8e8fb86acdd911235024d67fb4652d485be3d086ac086642ad97034a400fc0d5f0a7ef31772631e8f4cb8c722ce1

      Download Submit

    • C:\Windows\debug\nkmhost.exe
      Filesize

      192KB

      MD5

      ebdf6d9d2932e9fa30cab77ac2d5b4c3

      SHA1

      285f94be965b03086991b19522569ec488cbf147

      SHA256

      0061ce496e76bd1e398cf6ed3e60d591aabd093cebc100307061260b1437b94e

      SHA512

      9ffd3d3fdd84e550697b85a4b7a09050f04c8e8fb86acdd911235024d67fb4652d485be3d086ac086642ad97034a400fc0d5f0a7ef31772631e8f4cb8c722ce1

      Download Submit