Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

72b81d4fce...04.exe

windows7-x64

3

72b81d4fce...04.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    130s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2023, 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe

  • Size

    10.0MB

  • MD5

    858f4c3efd608c3a87d1533791cfbf40

  • SHA1

    1264bc5b1cbc568c5ef2e84a5e4515292273430e

  • SHA256

    72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104

  • SHA512

    03d723ced9f3efdd6dc82368be1a12d5ce853091837a09c6f2767ccb1908d483ec70746745f43195819ed050bfdad7536041888cd9b78aec8022cdcdd6169f73

  • SSDEEP

    196608:Ango4nrdg43DZ3Eu8iUr8OhQfZmROup8gBVtn2j6Cjo3kzXfwQRF2:+SnpgUUuwtwZE8gBqj6Co0IN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe
    "C:\Users\Admin\AppData\Local\Temp\72b81d4fceb44127660175f6b101b98ca91cfd74d09317b8985886ebe1cc0104.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\system32\expand.exe
        C:\Windows\system32\expand.exe *.cab /f:* .\
        3⤵
          PID:4048
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\system32\schtasks.exe
          schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
          3⤵
          • Creates scheduled task(s)
          PID:1808
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\system32\schtasks.exe
          schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
          3⤵
            PID:4440
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\system32\schtasks.exe
            schtasks /run /tn ASOS1
            3⤵
              PID:2144
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /f /tn ASOS1
              3⤵
                PID:4880

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\unpack1.log
            Filesize

            4KB

            MD5

            f6a88be35a51bbd73cf3b3da94f01d95

            SHA1

            ba7bf22546e237c48d699e1bfdae172d6944d920

            SHA256

            3ef428efbc140a9b852ee2a755bf36d50465b582c0f206eaae248a21611b6b73

            SHA512

            4ceab498827f9a35f8c0a04253ebdb2454e8f893ad76101f8980010df03d36f1e5fa377d5254db8cf3c6f4b9199f7e0c4385dba7709b2356c34e2f0190e87dce

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\unpack1.log
            Filesize

            978B

            MD5

            e8743bc02c3d001c11c2c2db73ab9026

            SHA1

            0b880f4394621935a4cf9895b3afe5de452c93ee

            SHA256

            0e68da2c76111381ffd580349d673197417585c9dcdc4d1a1333e6c17e9a25d3

            SHA512

            8d53bdf1602f55fb49952d61fc14328d27b6f87c0df98b0577f0fc6180769a62ea1cda7f9a37985d8365db7cbe080f42076eb35b9ee3dcd42ac280eb2f400823

            Download Submit