Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2f5f5407af...f2.exe

windows7-x64

10

2f5f5407af...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    15/11/2023, 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe

  • Size

    223KB

  • MD5

    7356e94a91d2550864e9af87417408ce

  • SHA1

    1fa54bb4f5c256be4bd086f74e3acb41142f7e27

  • SHA256

    2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2

  • SHA512

    7d709d7e29bb71d07a8298424445be7552a75bbd14e1fdcc4da59de0d3b2621ea43b8457f2515189e55ee0ed80d17271abf78c70e5c3b857831d3515dd0324d4

  • SSDEEP

    6144:RwPSUONLNsuWA7koN+boRhZ2VUUaSaE0A6Xvd2:ROuW5o/oVU1r5w

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\compact.exe
        "C:\compact.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe
        "C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab4C2F.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar804C.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a18d278d.tmp
      Filesize

      14.1MB

      MD5

      a7ef23896bd75e4cf69595d10cac31ac

      SHA1

      6882cc47f35317decd34213a550473c6aa83a908

      SHA256

      3148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c

      SHA512

      1f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c

      Download Submit

    • C:\compact.exe
      Filesize

      19KB

      MD5

      fdce04563c157bb80f32e22c22f4eac6

      SHA1

      e455098eee533ee29e6f65e9586875812ebe1558

      SHA256

      e6a2f47a0cae80a841a42a5c2c0d64d1a60430895df68c01f1eef3c6155c4d44

      SHA512

      b064d6fbf61d8019167192be04795797295200cae0b0310371bcc7d74896b030eb244280cdc91cd853f2bb1b23776d574eb3b134c279d1f1644255e8adf022da

      Download Submit

    • memory/424-43-0x0000000000430000-0x0000000000433000-memory.dmp

      Filesize

      12KB

      Download

    • memory/424-45-0x0000000000440000-0x0000000000468000-memory.dmp

      Filesize

      160KB

      Download

    • memory/424-75-0x0000000000440000-0x0000000000468000-memory.dmp

      Filesize

      160KB

      Download

    • memory/876-0-0x0000000000F70000-0x0000000000FDE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/876-46-0x0000000000F70000-0x0000000000FDE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/876-59-0x0000000000F70000-0x0000000000FDE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/876-70-0x0000000000F70000-0x0000000000FDE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1196-19-0x0000000002B40000-0x0000000002B43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1196-74-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1196-71-0x0000000004DF0000-0x0000000004EE9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1196-73-0x000007FEF61D0000-0x000007FEF6313000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1196-21-0x0000000004DF0000-0x0000000004EE9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1196-20-0x0000000004DF0000-0x0000000004EE9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1196-18-0x0000000002B40000-0x0000000002B43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1196-17-0x0000000002B40000-0x0000000002B43000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2620-36-0x0000000000090000-0x0000000000093000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2620-104-0x0000000001D60000-0x0000000001D61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-40-0x000007FEBE2B0000-0x000007FEBE2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2620-41-0x0000000001C70000-0x0000000001D3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2620-72-0x0000000001C70000-0x0000000001D3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2620-37-0x0000000001C70000-0x0000000001D3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2620-32-0x0000000000090000-0x0000000000093000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2620-26-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-98-0x0000000037BD0000-0x0000000037BE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2620-100-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-101-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-102-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-103-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-39-0x0000000001C70000-0x0000000001D3B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2620-105-0x0000000001D60000-0x0000000001D61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-106-0x0000000004540000-0x0000000004705000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2620-107-0x0000000004540000-0x0000000004705000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2620-108-0x0000000001D70000-0x0000000001D71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-109-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-110-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-111-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-112-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-113-0x000007FE7ADE0000-0x000007FE7ADEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2620-114-0x0000000001D60000-0x0000000001D61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-115-0x0000000004540000-0x0000000004705000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2620-24-0x00000000001A0000-0x0000000000263000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2620-123-0x0000000004540000-0x0000000004705000-memory.dmp

      Filesize

      1.8MB

      Download