Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

72c50bb47a...48.exe

windows7-x64

10

72c50bb47a...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe

  • Size

    304KB

  • MD5

    b728c2840a02568443366cf9d31b4e79

  • SHA1

    290262cf698471ac7a25c002cc5e32c45343354a

  • SHA256

    72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948

  • SHA512

    663f58c57f7fb01fec32c6a7f72742edf45c37f4e12caef7def07e504d1aefcf51d873fc28682161a0affbcf536f40e967049f84a6376f33cb1e1c77f0be9de5

  • SSDEEP

    6144:vIMnCyxDUQyNjIY6UAik3W6EoXJAOueOef5SG4X9Wx+8tCNyY:1C2U3Nj56Jik3n5EeOK8Mx+8kNH

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe
    "C:\Users\Admin\AppData\Local\Temp\72c50bb47ae31af0b64594a40c195ea174822d84c455da5356726cbf3b031948.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Users\Public\Music\REHCsH\VjnZON7W.exe
      "C:\Users\Public\Music\REHCsH\VjnZON7W.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4256
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo.>c:\xxxx.ini
        3⤵
          PID:732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1200
        2⤵
        • Program crash
        PID:3928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3832 -ip 3832
      1⤵
        PID:1912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
        Filesize

        6KB

        MD5

        e39405e85e09f64ccde0f59392317dd3

        SHA1

        9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

        SHA256

        cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

        SHA512

        6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
        Filesize

        36KB

        MD5

        f6bf82a293b69aa5b47d4e2de305d45a

        SHA1

        4948716616d4bbe68be2b4c5bf95350402d3f96f

        SHA256

        6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

        SHA512

        edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

        Download Submit

      • C:\Users\Public\Music\REHCsH\Edge.jpg
        Filesize

        358KB

        MD5

        3be1ec3b45929c27aa05da4f0d36c62d

        SHA1

        595916515e3e7f04d82d5f271bdbec1346a64598

        SHA256

        aa7f0ccc36d07d06bf46488f1c3c6f9da8f5f6fa5005616cd235e22ef2218044

        SHA512

        c9c0e228d04fa066961290fcd7978c3be1319e81fd8b579e7a3138db63c267178b63b3f829299a174632bf1667ecace9b6f919281ccfcd1766a0609152ad9d18

        Download Submit

      • C:\Users\Public\Music\REHCsH\VjnZON7W.dat
        Filesize

        132KB

        MD5

        d5c73cfbb684f59176fe24f62f477bdb

        SHA1

        b4c7a63fdb4bcff732fd0f6fc0ccb12ac6ec5ca2

        SHA256

        7cbcfcc9790c6e9c1626a598677462a91b979340615375faa1a2f25d4ef31df3

        SHA512

        1d26d7a7dc9f0a355b85a4be3eed80c62ea28861f9eeb11819e5cd7a62ceb1f0784246e37ea2f178f9846dee75f5a9c8aabbc050b2234ecc0d743ecce3276173

        Download Submit

      • C:\Users\Public\Music\REHCsH\VjnZON7W.exe
        Filesize

        525KB

        MD5

        c415a0405980406ae2142cad6b438a3a

        SHA1

        e26e7dd5b9b2f341da7b18d79334800bd8113ac8

        SHA256

        cc2539f1c385556963362a2e599bef943b028d45f73dcbcd67e546d57768987a

        SHA512

        d6aa65e8192ed230fb810c3c9e4f4000a7344b97f3eb1a1f4a78086822d30d6a9450d9873cb3d0d3ef2b3a494c87acd51f053eef7cf3acab05498ffde41aa45f

        Download Submit

      • C:\Users\Public\Music\REHCsH\VjnZON7W.exe
        Filesize

        525KB

        MD5

        c415a0405980406ae2142cad6b438a3a

        SHA1

        e26e7dd5b9b2f341da7b18d79334800bd8113ac8

        SHA256

        cc2539f1c385556963362a2e599bef943b028d45f73dcbcd67e546d57768987a

        SHA512

        d6aa65e8192ed230fb810c3c9e4f4000a7344b97f3eb1a1f4a78086822d30d6a9450d9873cb3d0d3ef2b3a494c87acd51f053eef7cf3acab05498ffde41aa45f

        Download Submit

      • C:\Users\Public\Music\REHCsH\VjnZON7W.exe
        Filesize

        525KB

        MD5

        c415a0405980406ae2142cad6b438a3a

        SHA1

        e26e7dd5b9b2f341da7b18d79334800bd8113ac8

        SHA256

        cc2539f1c385556963362a2e599bef943b028d45f73dcbcd67e546d57768987a

        SHA512

        d6aa65e8192ed230fb810c3c9e4f4000a7344b97f3eb1a1f4a78086822d30d6a9450d9873cb3d0d3ef2b3a494c87acd51f053eef7cf3acab05498ffde41aa45f

        Download Submit

      • C:\Users\Public\Music\REHCsH\edge.xml
        Filesize

        76KB

        MD5

        4988e45ca7c6f8ef73a28be140761dd7

        SHA1

        f4b0b9ec8f20f913b76870dbe61e2242ef7f8634

        SHA256

        e7fa2d1b41ccf1e2cc0de264e96ed52afd882a5322fe66d48eb65cb5085c0a75

        SHA512

        dd0d2ec27c204c139a23fb07d6889ecbee3c022cc87cc47d9afb7161082cdccf260845978fd084b663d70f7470bc1e6981e05ca284db80908b912211889042b5

        Download Submit

      • memory/3832-1-0x0000000010000000-0x0000000010018000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4256-45-0x0000000002C60000-0x0000000002C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4256-47-0x00000000037B0000-0x00000000037C7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/4256-49-0x0000000010000000-0x0000000010061000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4256-23-0x0000000000400000-0x0000000000558000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4256-63-0x0000000000400000-0x0000000000558000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4256-65-0x00000000037B0000-0x00000000037C7000-memory.dmp

        Filesize

        92KB

        Download