Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d5741238cc...43.exe

windows7-x64

8

d5741238cc...43.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    104s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5741238cca6ee1406994bfee08e81ab6497721764b38b5d694f0b21b6334e43.exe

  • Size

    3.0MB

  • MD5

    ab9c69160eb07b6010ebc0fb79201572

  • SHA1

    3ad1aa78b780f0b4324e857641d29ceb6c23308a

  • SHA256

    d5741238cca6ee1406994bfee08e81ab6497721764b38b5d694f0b21b6334e43

  • SHA512

    3f739750750abd09cf4bc24cfdc21639ec9c9f2f663aac79b5eac0966208565dc70706bfcfb9e4910dcfba67bae4b4aaab9e1bc66000208eb2fc42e164fe5e03

  • SSDEEP

    49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlc9ugStSkDWYnh/8DPH:Q+8X9G3vP3AMakgSskDWihY

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5741238cca6ee1406994bfee08e81ab6497721764b38b5d694f0b21b6334e43.exe
    "C:\Users\Admin\AppData\Local\Temp\d5741238cca6ee1406994bfee08e81ab6497721764b38b5d694f0b21b6334e43.exe"
    1⤵
      PID:2284
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3476
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4480
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2316
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3468
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4904
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1416
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1456
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1508
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3508
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:3236
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3892
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:4996
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2424
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3844
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4444
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3208
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1576
      • C:\Windows\system32\werfault.exe
        werfault.exe /hc /shared Global\a88b4126072d41989564e9192ceef052 /t 3804 /p 4112
        1⤵
          PID:4416
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3696
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:540
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:436
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:4404
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:1760
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4612
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:2924
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:3880
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:540
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3788
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:772

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                            Filesize

                            471B

                            MD5

                            0085711bef17acad9eacf0bbf9bf3906

                            SHA1

                            20041eb81473c406da0ebfd7717231c0852ba344

                            SHA256

                            98c31705ae2dbde79cc8916db28c40c875597004ae24d94ac42433e0989d70a1

                            SHA512

                            3354239703701d843124bc466fd9794dd65ed766e4a1df64f784250292be3f24239a9e7156738d07a1c12316952cc1ee71ae9feba9b8fdbfb545e273ae871a6e

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                            Filesize

                            412B

                            MD5

                            baf25d6e25728de9e8a0672525291771

                            SHA1

                            256c0098760d4e021a24f8fd3efc9990f6dfbf16

                            SHA256

                            7556735b057cf1486890f1409c339f125ba387b3389c8f1780b41adbff8aa02c

                            SHA512

                            48e57c9567f9eaf34068d4fab020af72fd92c805c4a58d678b7664cb33d2e9d6657db9bd043cb31e2c040ba51d4410d149a0bf7ef3d7d9e2eb3462f53fa095b0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml
                            Filesize

                            96B

                            MD5

                            4114b63fafc98d9307dc8bfae1c379cd

                            SHA1

                            8959adf99facaf14c6be813470286c448b0e0b44

                            SHA256

                            f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

                            SHA512

                            51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                            Filesize

                            21KB

                            MD5

                            e27d3649bf52615e28fa272414b6ba2a

                            SHA1

                            94eb904871f7d9b9adfd02f05bd1fce5194de5dd

                            SHA256

                            8e964683e557cead660242ee93161fb581a591b91b8d893fe353cbfeb1531bb7

                            SHA512

                            e81e26aa05e0dea8bb24b626c2f8c5d31d34ada0cb23e261fa95f320165b808f6fe39430680074bbb7da72c0cacd33cfe513829b3386d9386b6ef6d46cfc72e2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                            Filesize

                            21KB

                            MD5

                            e27d3649bf52615e28fa272414b6ba2a

                            SHA1

                            94eb904871f7d9b9adfd02f05bd1fce5194de5dd

                            SHA256

                            8e964683e557cead660242ee93161fb581a591b91b8d893fe353cbfeb1531bb7

                            SHA512

                            e81e26aa05e0dea8bb24b626c2f8c5d31d34ada0cb23e261fa95f320165b808f6fe39430680074bbb7da72c0cacd33cfe513829b3386d9386b6ef6d46cfc72e2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml
                            Filesize

                            96B

                            MD5

                            4114b63fafc98d9307dc8bfae1c379cd

                            SHA1

                            8959adf99facaf14c6be813470286c448b0e0b44

                            SHA256

                            f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

                            SHA512

                            51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml
                            Filesize

                            96B

                            MD5

                            4114b63fafc98d9307dc8bfae1c379cd

                            SHA1

                            8959adf99facaf14c6be813470286c448b0e0b44

                            SHA256

                            f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

                            SHA512

                            51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml
                            Filesize

                            96B

                            MD5

                            4114b63fafc98d9307dc8bfae1c379cd

                            SHA1

                            8959adf99facaf14c6be813470286c448b0e0b44

                            SHA256

                            f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

                            SHA512

                            51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ANTV7B43\microsoft.windows[1].xml
                            Filesize

                            96B

                            MD5

                            4114b63fafc98d9307dc8bfae1c379cd

                            SHA1

                            8959adf99facaf14c6be813470286c448b0e0b44

                            SHA256

                            f93f1cffd4688bc4cd9e3dfb2ee84a1f53f40d966cab8542c5863906faaf197f

                            SHA512

                            51eb95339b914b6674922ad2635a193ae1fb1d008c35f03cc8664c46e4f124389a884d7854268c90ac7883102f9a98483e0019a269070b7d6a96fcc70c937723

                            Download Submit

                          • memory/436-85-0x0000000004980000-0x0000000004981000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/540-70-0x000001DB98160000-0x000001DB98180000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/540-74-0x000001DB98570000-0x000001DB98590000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/540-72-0x000001DB98120000-0x000001DB98140000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/1456-16-0x00000000041A0000-0x00000000041A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1576-62-0x0000000004C50000-0x0000000004C51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1760-95-0x0000025B033E0000-0x0000025B03400000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/1760-93-0x0000025B03620000-0x0000025B03640000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/1760-97-0x0000025B039F0000-0x0000025B03A10000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3508-26-0x000001B8A6C50000-0x000001B8A6C70000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3508-24-0x000001B8A6640000-0x000001B8A6660000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3508-23-0x000001B8A6680000-0x000001B8A66A0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3844-51-0x0000023786E60000-0x0000023786E80000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3844-48-0x0000023786850000-0x0000023786870000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3844-46-0x0000023786890000-0x00000237868B0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3880-118-0x0000026AF8020000-0x0000026AF8040000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3880-122-0x0000026AF83E0000-0x0000026AF8400000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3880-120-0x0000026AF7DD0000-0x0000026AF7DF0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/4612-110-0x0000000002D60000-0x0000000002D61000-memory.dmp

                            Filesize

                            4KB

                            Download