Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

4f0dda0138...0b.exe

windows7-x64

7

4f0dda0138...0b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe

  • Size

    17.2MB

  • MD5

    3a431ad03ffe53aa02fea1a7a168330f

  • SHA1

    9f3d6cf63b5fc071591291720d49d78afa9e14fe

  • SHA256

    4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b

  • SHA512

    1b77ee1df34f5c84fcbe8dbb0c8785ac47188cd2b87e9ed9956278c3b47056aa8b2c89ac940a9915d789337192e943c3795f6170429ea201107b9acf94efcff9

  • SSDEEP

    393216:sYs7hvMmW5HiLg9999999a6WI6jV9ALHeBbMDbqP49yMK4FLwGtq4nQLpI:Ahv7WNi89999999aFRjV9AzKbMXyMKW1

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe
    "C:\Users\Admin\AppData\Local\Temp\4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe CSAD_MARKET=xx-xx
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2468
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5A32429DB975DFDDF33EAC4F593E699B C
      2⤵
      • Loads dropped DLL
      PID:3496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsnMsgs.Msi
    Filesize

    15.9MB

    MD5

    5d5c86e8314b2b51c3614cec454706d9

    SHA1

    9749a3a0a7aeeec91d66a1d45a08eeb588bc93dc

    SHA256

    02fa57cd166ed728e45b27210a945d2a21cf43c2d79641dd83bac3390493ac5f

    SHA512

    b98591843bb2092888a6be6a1821091ff2a05559f6fabd9ead9a1db05bf79726caa875a59fc02704e8b7695cc2cda968dc7db3e9a7818dec646469d7cf20e93e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.dll
    Filesize

    66KB

    MD5

    db052a2dca5a30e03b5f09112df7f54a

    SHA1

    2f4265bd26977b06a17846891206946e9c11cf04

    SHA256

    580cce29b501521c942750b9360307cd4781dd998e78055d222e2d29e470def7

    SHA512

    c7c85a1d1558f90ae4d69a76e04339c8bb8dfea3f923545983fe725ba628ee8f2cda8fc14d4e65ab9d872c82e1430977bf0dcc8f32d2fd4b431f01d0663bc4a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.dll
    Filesize

    66KB

    MD5

    db052a2dca5a30e03b5f09112df7f54a

    SHA1

    2f4265bd26977b06a17846891206946e9c11cf04

    SHA256

    580cce29b501521c942750b9360307cd4781dd998e78055d222e2d29e470def7

    SHA512

    c7c85a1d1558f90ae4d69a76e04339c8bb8dfea3f923545983fe725ba628ee8f2cda8fc14d4e65ab9d872c82e1430977bf0dcc8f32d2fd4b431f01d0663bc4a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.dll
    Filesize

    66KB

    MD5

    db052a2dca5a30e03b5f09112df7f54a

    SHA1

    2f4265bd26977b06a17846891206946e9c11cf04

    SHA256

    580cce29b501521c942750b9360307cd4781dd998e78055d222e2d29e470def7

    SHA512

    c7c85a1d1558f90ae4d69a76e04339c8bb8dfea3f923545983fe725ba628ee8f2cda8fc14d4e65ab9d872c82e1430977bf0dcc8f32d2fd4b431f01d0663bc4a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe
    Filesize

    69KB

    MD5

    e8dfa3a47a398d492bf8c8394ca32a33

    SHA1

    4067c3c3da6a4a5df3d41e70e857bd20c243a673

    SHA256

    314a110e1c400685396c9b20ad1c55e6be1a9e92b10bacc620d3fa6ef8f65235

    SHA512

    f8dc2b90202eaf02de0170cd7acb9ae06f1dd537abdd9aa33c9fc9e1cbccd7071a47a766e292018cacf456431f4d330f4fa269dbcf52b5242d1341dcd875f698

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe
    Filesize

    69KB

    MD5

    e8dfa3a47a398d492bf8c8394ca32a33

    SHA1

    4067c3c3da6a4a5df3d41e70e857bd20c243a673

    SHA256

    314a110e1c400685396c9b20ad1c55e6be1a9e92b10bacc620d3fa6ef8f65235

    SHA512

    f8dc2b90202eaf02de0170cd7acb9ae06f1dd537abdd9aa33c9fc9e1cbccd7071a47a766e292018cacf456431f4d330f4fa269dbcf52b5242d1341dcd875f698

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIE407.tmp
    Filesize

    118KB

    MD5

    62511aa3698b878de9b2c2606e011b15

    SHA1

    63f435dcc46c9c3d1748a5432c602ace91c9362a

    SHA256

    29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

    SHA512

    5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIE407.tmp
    Filesize

    118KB

    MD5

    62511aa3698b878de9b2c2606e011b15

    SHA1

    63f435dcc46c9c3d1748a5432c602ace91c9362a

    SHA256

    29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

    SHA512

    5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIE698.tmp
    Filesize

    118KB

    MD5

    62511aa3698b878de9b2c2606e011b15

    SHA1

    63f435dcc46c9c3d1748a5432c602ace91c9362a

    SHA256

    29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

    SHA512

    5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIE698.tmp
    Filesize

    118KB

    MD5

    62511aa3698b878de9b2c2606e011b15

    SHA1

    63f435dcc46c9c3d1748a5432c602ace91c9362a

    SHA256

    29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

    SHA512

    5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

    Download Submit

  • memory/2468-16-0x0000000000520000-0x0000000000532000-memory.dmp

    Filesize

    72KB

    Download