Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

36f66b4a07...f9.exe

windows7-x64

10

36f66b4a07...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe

  • Size

    1.4MB

  • MD5

    c3a778773d111438753b04f1fdd1c015

  • SHA1

    178ed102913cb579e567aa3e80ed1638e37b93d0

  • SHA256

    36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9

  • SHA512

    a8b081ef60acb557e9973b26f7e7e999421283c3008770c67128400cec0fb819999e9e0aad9a494eea8bda8121fa9d8b5a24a1372ffa6d06f1c22d11f1edc6bd

  • SSDEEP

    12288:DSvO2x9mONvKRhLSFROkx2LIaCy+Bg0tmyyyI:2vO2xJKRh2bOkx2LFV+Bg6M

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 26 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\Logs\bthudtask.exe
        "C:\Windows\Logs\bthudtask.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3488
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
        "C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4496
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:916
    • C:\Windows\Syswow64\bfaca392
      C:\Windows\Syswow64\bfaca392
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\bfaca392"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:4428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\834c231e.tmp
      Filesize

      11.6MB

      MD5

      5244c87dbafa1f764b258766005dea73

      SHA1

      84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

      SHA256

      077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

      SHA512

      54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\83553ba8.tmp
      Filesize

      14.8MB

      MD5

      b1057fccc9bf7a0976c173bed8c7e2a0

      SHA1

      fa7023b9e81f80adf10721ae995ec07ba0edd2f2

      SHA256

      3ee17398c1784dac54e2a218aacf3e64819dab2e809040ffc261d0444e768582

      SHA512

      04d4e64b137163ff9ffa8692495a2f91d80340ee6470c987e4413be3774ca5b344db8ea69d110642e10017e7868a086086f297441f3bc91038dee942d2b84a12

      Download Submit

    • C:\Windows\Logs\bthudtask.exe
      Filesize

      39KB

      MD5

      4dcd6fcabf20fbc8bfb11a9f6e4b77f0

      SHA1

      233eac2bed59b8fe167c1501ac3fda48b32a1b0c

      SHA256

      cf5ae95c9fdafe5f0cc9d7010412e84502fe66ad60f57dfdf68735b9315ff444

      SHA512

      b4293a438ba9d41e446bfb1bca3a4df4ab009882b7df2eda61607cfef77a397f6ae3c3532dc1addaa9553a0bc9f3e756d3ac377a69cf1ae537638f618e666ea3

      Download Submit

    • C:\Windows\Logs\bthudtask.exe
      Filesize

      39KB

      MD5

      4dcd6fcabf20fbc8bfb11a9f6e4b77f0

      SHA1

      233eac2bed59b8fe167c1501ac3fda48b32a1b0c

      SHA256

      cf5ae95c9fdafe5f0cc9d7010412e84502fe66ad60f57dfdf68735b9315ff444

      SHA512

      b4293a438ba9d41e446bfb1bca3a4df4ab009882b7df2eda61607cfef77a397f6ae3c3532dc1addaa9553a0bc9f3e756d3ac377a69cf1ae537638f618e666ea3

      Download Submit

    • C:\Windows\SysWOW64\bfaca392
      Filesize

      1.4MB

      MD5

      066619ca99a6c0b4dda60111aecc1fec

      SHA1

      852e4d240187835029d3b2086256553f249d9b25

      SHA256

      5f2a20bfcd6b14b4dcabac8f10df9bf768bfd7bcc0f62be314a1e57c3b75eb3b

      SHA512

      5004f11d39dcf5a2cf132d78f9325041c4148ab4d2192e43f3e8ea6a479569a4fae99e083490e635deddac995147ec75b71355c73f514f32cc928dcb40491855

      Download Submit

    • C:\Windows\SysWOW64\bfaca392
      Filesize

      1.4MB

      MD5

      066619ca99a6c0b4dda60111aecc1fec

      SHA1

      852e4d240187835029d3b2086256553f249d9b25

      SHA256

      5f2a20bfcd6b14b4dcabac8f10df9bf768bfd7bcc0f62be314a1e57c3b75eb3b

      SHA512

      5004f11d39dcf5a2cf132d78f9325041c4148ab4d2192e43f3e8ea6a479569a4fae99e083490e635deddac995147ec75b71355c73f514f32cc928dcb40491855

      Download Submit

    • memory/612-70-0x000001B006E60000-0x000001B006E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/612-31-0x000001B006E20000-0x000001B006E48000-memory.dmp

      Filesize

      160KB

      Download

    • memory/612-29-0x000001B006E10000-0x000001B006E13000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2788-24-0x00000000000F0000-0x000000000017C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/2788-38-0x00000000000F0000-0x000000000017C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/2788-0-0x00000000000F0000-0x000000000017C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/3096-10-0x0000000001300000-0x0000000001303000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3096-15-0x0000000001320000-0x0000000001321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3096-62-0x0000000008960000-0x0000000008A59000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3096-14-0x0000000008960000-0x0000000008A59000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3096-12-0x0000000001300000-0x0000000001303000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3096-13-0x0000000001300000-0x0000000001303000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3488-63-0x000002179B3D0000-0x000002179B3D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-75-0x000002179BF90000-0x000002179C155000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3488-61-0x00007FFEA16B0000-0x00007FFEA16C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3488-98-0x000002179BF90000-0x000002179C155000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3488-26-0x00007FFEA16B0000-0x00007FFEA16C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3488-20-0x0000021799440000-0x0000021799443000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3488-68-0x0000021799700000-0x00000217997CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3488-69-0x00000217996D0000-0x00000217996D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-21-0x0000021799700000-0x00000217997CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3488-71-0x000002179B5F0000-0x000002179B5F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-72-0x000002179B3D0000-0x000002179B3D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-73-0x000002179B5F0000-0x000002179B5F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-74-0x000002179B5F0000-0x000002179B5F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-27-0x00000217996D0000-0x00000217996D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-77-0x000002179BDB0000-0x000002179BDB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3488-76-0x000002179B5F0000-0x000002179B5F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-78-0x000002179B600000-0x000002179B601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-79-0x000002179BED0000-0x000002179BF0E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3488-80-0x000002179B610000-0x000002179B611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-81-0x000002179BED0000-0x000002179BED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3488-23-0x0000021799700000-0x00000217997CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3488-83-0x000002179BF90000-0x000002179C155000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3488-84-0x000002179BDB0000-0x000002179BDB2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3488-85-0x000002179BED0000-0x000002179BF0E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5004-67-0x0000000000950000-0x00000000009DC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/5004-3-0x0000000000950000-0x00000000009DC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/5004-25-0x0000000000950000-0x00000000009DC000-memory.dmp

      Filesize

      560KB

      Download