Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

d5d06dc5a9...71.exe

windows7-x64

7

d5d06dc5a9...71.exe

windows10-2004-x64

7

Resubmissions

22/10/2023, 02:49

231022-da4exaeh37 7

22/10/2023, 02:48

231022-daweasda6z 7

22/10/2023, 02:41

231022-c6mllada3w 7

Analysis

  • max time kernel
    63s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2023, 02:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe

  • Size

    1.3MB

  • MD5

    f47e11a824c6094d439ba159ec9c3f04

  • SHA1

    7460d14072a26fad9567961f51b1383e335d33c8

  • SHA256

    d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171

  • SHA512

    44878e66c8ad85b76b18912b4afdd8e80cb49b0cf32ad41ea1c6eb30afcdba5150ef46d89e12cd995497f29a0dc2aebd18339115d0e95de61cbc6c3bfd6c8383

  • SSDEEP

    24576:1b3QxsVkMEzjeMREXxC+5QQ7fdhSNpr17/R8T2Od7OS5Q5Wc26qeMyaVl:EsileMRU5VMhR8VPO5Wc26XlQl

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe
    "C:\Users\Admin\AppData\Local\Temp\d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
        3⤵
          PID:5072
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
            4⤵
              PID:2080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\xiaodaxzqxia\A.vbs
        Filesize

        107B

        MD5

        bcb223ea9c0598f04684216bcd0e12a6

        SHA1

        2661c8fbca3654a29fa261def7f16ea23a6f3165

        SHA256

        ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

        SHA512

        77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

        Download Submit

      • C:\Users\Public\xiaodaxzqxia\n.bat
        Filesize

        263B

        MD5

        c7d8b33e05722104d63de564a5d92b01

        SHA1

        fd703f1c71ac1dae65dc34f3521854604cec8091

        SHA256

        538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

        SHA512

        54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

        Download Submit

      • memory/1636-0-0x0000000000400000-0x0000000000717000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1636-8-0x0000000000400000-0x0000000000717000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1636-10-0x0000000000400000-0x0000000000717000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1636-11-0x0000000000400000-0x0000000000717000-memory.dmp

        Filesize

        3.1MB

        Download