Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

eef7b8bf3d...d3.exe

windows7-x64

7

eef7b8bf3d...d3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    194s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe

  • Size

    203KB

  • MD5

    ca2a3f209be25a8ebb65bda3979d1ac7

  • SHA1

    d888b31a18e0dca50fdc7f878f864a6c1ec5d5fe

  • SHA256

    eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3

  • SHA512

    f574324a7f58d6ffee5b02760ca6038e6567df991da67eba1780e06e8b2f893f3a7952ded57f842f9717ceaf55874d3bfa410846fa4e0c4ffa429382144855c8

  • SSDEEP

    6144:Dz1xOecgEnOxUwWz1w4mcH+dZvF4lBFusBQY:31seJzWz1l+LIp

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe
    "C:\Users\Admin\AppData\Local\Temp\eef7b8bf3ddd199f5f3b864dbd01922d16cc4b754d0635689088e73f9e6c0ed3.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\cmdl32.exe
      "C:\Windows\SysWOW64\cmdl32.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\dfrgui.exe
        "C:\Windows\SysWOW64\dfrgui.exe"
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EEF7B8~1.EXE > nul
      2⤵
        PID:1044
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
      1⤵
      • Modifies data under HKEY_USERS
      PID:2204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\WindowSystemNewUpdate47.log
      Filesize

      5KB

      MD5

      97d2654667f305be617e1618efa2c8a2

      SHA1

      cb8bd70e75e984ffab4d21a01b9b259361ca00b2

      SHA256

      b0f3f781fdd264f8f663e5a0692ecd18b1e36ab86cfee5dda35d00ff688544e0

      SHA512

      42f57a604384242885262c856de85b42930cf0322de4b9251ec95e2e6bae9b327accd2080541159307473afbb6d2602f5491bdf5695aee4738a211ca9773f5cb

      Download Submit

    • memory/764-58-0x0000000002C70000-0x0000000002CD7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/764-4-0x0000000000820000-0x0000000000887000-memory.dmp

      Filesize

      412KB

      Download

    • memory/764-6-0x0000000000DB0000-0x0000000000DCB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/764-8-0x0000000000DB0000-0x0000000000DCB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/764-9-0x0000000000DB0000-0x0000000000DCB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/764-10-0x0000000010000000-0x0000000010057000-memory.dmp

      Filesize

      348KB

      Download

    • memory/764-158-0x0000000000A00000-0x0000000000A01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/764-140-0x00000000009F0000-0x00000000009F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/764-157-0x00000000009F0000-0x00000000009F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/764-40-0x0000000003710000-0x0000000003BFB000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/764-49-0x0000000000E10000-0x0000000000E48000-memory.dmp

      Filesize

      224KB

      Download

    • memory/764-141-0x0000000000A00000-0x0000000000A01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-136-0x0000000000E90000-0x0000000000EB4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1936-131-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-118-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-112-0x0000000000F50000-0x0000000000F6B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1936-114-0x0000000000F50000-0x0000000000F6B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1936-115-0x0000000000F50000-0x0000000000F6B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1936-109-0x0000000000E90000-0x0000000000EB4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1936-102-0x00000000008A0000-0x00000000008BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1936-133-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-135-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-107-0x0000000001010000-0x0000000001614000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-151-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-152-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/1936-148-0x0000000010000000-0x00000000105F8000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2204-142-0x000002052B480000-0x000002052B4AB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2204-144-0x000002052B480000-0x000002052B4AB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2204-139-0x0000000000C30000-0x0000000000C55000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2204-159-0x000002052B480000-0x000002052B4AB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2288-0-0x00000000008A0000-0x0000000000937000-memory.dmp

      Filesize

      604KB

      Download

    • memory/2288-30-0x00000000008A0000-0x0000000000937000-memory.dmp

      Filesize

      604KB

      Download

    • memory/2288-23-0x00000000008A0000-0x0000000000937000-memory.dmp

      Filesize

      604KB

      Download

    • memory/2288-21-0x00000000008A0000-0x0000000000937000-memory.dmp

      Filesize

      604KB

      Download

    • memory/2288-1-0x00000000008A0000-0x0000000000937000-memory.dmp

      Filesize

      604KB

      Download