Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

8277a28b42...b4.exe

windows7-x64

8

8277a28b42...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    33s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8277a28b42eb820b6003c4e08d0053b4.exe

  • Size

    6.9MB

  • MD5

    8277a28b42eb820b6003c4e08d0053b4

  • SHA1

    968b66c72bb65214cfd57af1ae9eda086a5fbc17

  • SHA256

    6f2129b1e154ac4e59778563467a9eac91912d9dc03aa6ab5bfe88cf58dd033b

  • SHA512

    116d87e23f64eeb8b917f79408479e348c474097f10a89aff09dc8c8be4ebbe58238bf77252442a667463a6652f0452a8fc06c75925af1a1e91d291a3c59eff3

  • SSDEEP

    196608:1OsgMzFzZ/4pz/8X7yuP20nAEhYuz0gUTqfk2S+:1O/M9ZQRYyuhAAYuQTW82S+

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8277a28b42eb820b6003c4e08d0053b4.exe
    "C:\Users\Admin\AppData\Local\Temp\8277a28b42eb820b6003c4e08d0053b4.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe
      "C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe" f
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
      • C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe
        "C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe"
        3⤵
        • Sets DLL path for service in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3128
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c powershell.exe -command Add-MpPreference -ExclusionPath "C:\ProgramData\Remote Utilities\Backup"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command Add-MpPreference -ExclusionPath "C:\ProgramData\Remote Utilities\Backup"
            5⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "WUDFHostController" -svcr "WUDFHost.exe" -s WUDFHostController
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Remote Utilities\Backup\MSIMG32.dll
    Filesize

    103KB

    MD5

    9e20a938438c276ee36acecef977364b

    SHA1

    288816e2f027075966d0a8b86387ff7fc5f89e80

    SHA256

    a1b6b6d949a861237aa8a4972e6e41dc1ed5b82df7d0c8c371edae199fda85da

    SHA512

    424c7bd662d63357650bc9cfa465ce62da9c09213601561021785666e25da6ef2a71cb2886c071450a5887830137f481ff37e887438e3b43dd35816c90f694cb

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\MSIMG32.dll
    Filesize

    820.1MB

    MD5

    d0cd39f988fb6694d8a59e0afe8627f5

    SHA1

    49227ab4aed6aad36ce2c82357054eb7c8936947

    SHA256

    d9132456691cf68a153202d4e1dc9920a70565aeef8eb011f1d600082ff394e8

    SHA512

    95c9f731543b327275b5f50688f22d7b474e6bc6963a45c12a9db017c75d6d4fee052d23fce358fd8b6793797f789fe31dd28e12e3b44b0b913c66550477e824

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\MSIMG32.dll
    Filesize

    700.5MB

    MD5

    094f4360937ccf38db39e01e8b261029

    SHA1

    5da41036e51a17a8a1e8e0a865b26e1f10a460c6

    SHA256

    b70e798b5768c5582f0d07819c59ddc54bd083c126dded386987489234c18c65

    SHA512

    9a6219c6825e75e182ad439b33e465bc0010315e12138ab0c458db37900426c561edd94b44b14515a8ede05e6d0117c9921ffa7a8f155275464fd348ea5523ba

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe
    Filesize

    231KB

    MD5

    17e40315660830aa625483bbf608730c

    SHA1

    c8f5825499315eaf4b5046ff79ac9553e71ad1c0

    SHA256

    f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

    SHA512

    0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe
    Filesize

    231KB

    MD5

    17e40315660830aa625483bbf608730c

    SHA1

    c8f5825499315eaf4b5046ff79ac9553e71ad1c0

    SHA256

    f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

    SHA512

    0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe
    Filesize

    231KB

    MD5

    17e40315660830aa625483bbf608730c

    SHA1

    c8f5825499315eaf4b5046ff79ac9553e71ad1c0

    SHA256

    f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

    SHA512

    0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe
    Filesize

    19.8MB

    MD5

    31c0bafc3f6e6c7322a7a32ac1bd87da

    SHA1

    42fd1a41e1eef5998de674ec068c702f1ee3b4f3

    SHA256

    f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

    SHA512

    ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe
    Filesize

    19.8MB

    MD5

    31c0bafc3f6e6c7322a7a32ac1bd87da

    SHA1

    42fd1a41e1eef5998de674ec068c702f1ee3b4f3

    SHA256

    f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

    SHA512

    ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\libeay32.dll
    Filesize

    1.3MB

    MD5

    d9871a6ba02aacf3d51e6c168d9c6066

    SHA1

    42012a0116a9e8aed16c7298bd43cb1206a0f0cd

    SHA256

    7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

    SHA512

    ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\libeay32.dll
    Filesize

    1.3MB

    MD5

    d9871a6ba02aacf3d51e6c168d9c6066

    SHA1

    42012a0116a9e8aed16c7298bd43cb1206a0f0cd

    SHA256

    7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

    SHA512

    ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\msimg32.dll
    Filesize

    103KB

    MD5

    9e20a938438c276ee36acecef977364b

    SHA1

    288816e2f027075966d0a8b86387ff7fc5f89e80

    SHA256

    a1b6b6d949a861237aa8a4972e6e41dc1ed5b82df7d0c8c371edae199fda85da

    SHA512

    424c7bd662d63357650bc9cfa465ce62da9c09213601561021785666e25da6ef2a71cb2886c071450a5887830137f481ff37e887438e3b43dd35816c90f694cb

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\msimg32.dll
    Filesize

    736.2MB

    MD5

    c41fbd8a841321065e02dac5bd951159

    SHA1

    582582f8cffd800e2ae4de598981169447bd9310

    SHA256

    d76b6137d16f6ce95c37f7e0ec3d4552f21d26e6482f5962152067ed7f5103d5

    SHA512

    e18cc7bd7036a1fc01c01c31d29566ec286db71b1fb8a250c0f1f62acc05c1adab4dfeaadf4b5df4c18c399fd7ba6496b048d02081164947be1de13321664f95

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\settings.dat
    Filesize

    5KB

    MD5

    0e7ba2cb293b0068f7016063f1724d50

    SHA1

    0a1fbad5c284cde95559e2ceb1a59579336337ff

    SHA256

    d36aa23d6d4d64937fb02f67da38a03f51221ed68917e7148ff005ba8bc4454d

    SHA512

    eb1a7309846c0cd614bb0de519248a2c17a3cbc6f06f8f45df4b1d04786687e1923c0ff2cdf08e7cf74a1071687160445ee6e76be8364b4a27befccab7e4fe5e

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\ssleay32.dll
    Filesize

    337KB

    MD5

    fe6d8feaeae983513e0a9a223604041b

    SHA1

    efa54892735d331a24b707068040e5a697455cee

    SHA256

    af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

    SHA512

    a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\ssleay32.dll
    Filesize

    337KB

    MD5

    fe6d8feaeae983513e0a9a223604041b

    SHA1

    efa54892735d331a24b707068040e5a697455cee

    SHA256

    af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

    SHA512

    a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\w32.dat
    Filesize

    166KB

    MD5

    2c5e106f847b886979cc5e1b7941f3b0

    SHA1

    abb94f3c804554f332d537cc13ccdee776f4cbe5

    SHA256

    d9ce77ebcd40b8790ff625a5682bcfc8667f3fa99dcba72bd3078d6f94e52277

    SHA512

    521521f95ba53f84c9d11819f3f828b72123905a0bbd6e891ce33f2354c6370e1e23e73e583d5c065b7de5eba329fa7f2a87d3ad23f8d588e1393ed402a973f5

    Download Submit

  • C:\ProgramData\Remote Utilities\Backup\w64.dat
    Filesize

    195KB

    MD5

    2bc32883b924395a4a9b6429e150d12a

    SHA1

    89d6a753e466406b70c5b9bce3617a6b96c7c817

    SHA256

    3a0ff1e04417b15dca13bf11277655a231ab50cf1c3ed9d6313d94e8e02fc1f9

    SHA512

    e58823785f27adc50fcf922937b2e8471326e8eaf39343c4697fd1069c605889be2577d0e328284bdccc6ca8ba9c64536746fbd4dd6ea94cdc5ca4137cfe4ae1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso8242.tmp\nsis7z.dll
    Filesize

    436KB

    MD5

    d7778720208a94e2049972fb7a1e0637

    SHA1

    080d607b10f93c839ec3f07faec3548bb78ac4dc

    SHA256

    98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

    SHA512

    98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso8242.tmp\nsis7z.dll
    Filesize

    436KB

    MD5

    d7778720208a94e2049972fb7a1e0637

    SHA1

    080d607b10f93c839ec3f07faec3548bb78ac4dc

    SHA256

    98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

    SHA512

    98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

    Download Submit

  • C:\Windows\Temp\__PSScriptPolicyTest_dustqiw1.gfi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1680-82-0x00000000056F0000-0x0000000005712000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1680-119-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1680-128-0x0000000072F50000-0x0000000073700000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1680-124-0x0000000007D00000-0x0000000007D08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1680-123-0x0000000007D20000-0x0000000007D3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1680-122-0x0000000007C20000-0x0000000007C34000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1680-121-0x0000000007C10000-0x0000000007C1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1680-120-0x0000000003280000-0x0000000003290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-76-0x00000000030E0000-0x0000000003116000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1680-77-0x0000000072F50000-0x0000000073700000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1680-118-0x0000000007C60000-0x0000000007CF6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1680-79-0x0000000005910000-0x0000000005F38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1680-80-0x0000000003280000-0x0000000003290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-81-0x0000000003280000-0x0000000003290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-117-0x0000000007A60000-0x0000000007A6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1680-83-0x0000000005890000-0x00000000058F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1680-84-0x0000000005F40000-0x0000000005FA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1680-116-0x00000000079C0000-0x00000000079DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1680-94-0x0000000006030000-0x0000000006384000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1680-95-0x00000000066A0000-0x00000000066BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1680-96-0x00000000066E0000-0x000000000672C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1680-97-0x0000000003280000-0x0000000003290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-98-0x0000000072F50000-0x0000000073700000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1680-115-0x0000000008010000-0x000000000868A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1680-100-0x0000000003280000-0x0000000003290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-101-0x0000000003280000-0x0000000003290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-102-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1680-103-0x000000006F4F0000-0x000000006F53C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1680-113-0x0000000006C80000-0x0000000006C9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1680-114-0x00000000078C0000-0x0000000007963000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3128-67-0x0000000006C00000-0x0000000006C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-125-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-140-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-78-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-63-0x0000000005140000-0x0000000005141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-75-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-50-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-68-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-137-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-99-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-66-0x0000000005260000-0x0000000005261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-53-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3128-129-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-130-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-134-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3128-135-0x0000000000400000-0x0000000001896000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/3668-40-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3668-48-0x0000000075580000-0x000000007559E000-memory.dmp

    Filesize

    120KB

    Download