Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2f5f5407af...f2.exe

windows7-x64

10

2f5f5407af...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe

  • Size

    223KB

  • MD5

    7356e94a91d2550864e9af87417408ce

  • SHA1

    1fa54bb4f5c256be4bd086f74e3acb41142f7e27

  • SHA256

    2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2

  • SHA512

    7d709d7e29bb71d07a8298424445be7552a75bbd14e1fdcc4da59de0d3b2621ea43b8457f2515189e55ee0ed80d17271abf78c70e5c3b857831d3515dd0324d4

  • SSDEEP

    6144:RwPSUONLNsuWA7koN+boRhZ2VUUaSaE0A6Xvd2:ROuW5o/oVU1r5w

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:636
      • C:\ProgramData\services.exe
        "C:\ProgramData\services.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe
        "C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2f5f5407af2e004b6bd676ec6e19c392818140695ca86aedb6c1ae203d2ce5f2.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\services.exe
      Filesize

      698KB

      MD5

      d8e577bf078c45954f4531885478d5a9

      SHA1

      d7a213f3cfee2a8a191769eb33847953be51de54

      SHA256

      dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674

      SHA512

      d7ef417fe68d44ed5a10eeca6075010c3940d5d6568086762d7c3f7ec55793d1ccaea7e6ac2675a3330a26b39c53c4be04241ffd23ba80b88112de10a01925e9

      Download Submit

    • C:\ProgramData\services.exe
      Filesize

      698KB

      MD5

      d8e577bf078c45954f4531885478d5a9

      SHA1

      d7a213f3cfee2a8a191769eb33847953be51de54

      SHA256

      dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674

      SHA512

      d7ef417fe68d44ed5a10eeca6075010c3940d5d6568086762d7c3f7ec55793d1ccaea7e6ac2675a3330a26b39c53c4be04241ffd23ba80b88112de10a01925e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\834bd749.tmp
      Filesize

      14.1MB

      MD5

      a7ef23896bd75e4cf69595d10cac31ac

      SHA1

      6882cc47f35317decd34213a550473c6aa83a908

      SHA256

      3148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c

      SHA512

      1f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c

      Download Submit

    • memory/636-16-0x0000016D73860000-0x0000016D73888000-memory.dmp

      Filesize

      160KB

      Download

    • memory/636-57-0x0000016D738A0000-0x0000016D738A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/636-56-0x0000016D73860000-0x0000016D73888000-memory.dmp

      Filesize

      160KB

      Download

    • memory/636-17-0x0000016D738A0000-0x0000016D738A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1324-0-0x0000000000680000-0x00000000006EE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1324-39-0x0000000000680000-0x00000000006EE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1716-53-0x00000161F6A00000-0x00000161F6ACB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1716-65-0x00000161F8360000-0x00000161F8361000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-11-0x00000161F6A00000-0x00000161F6ACB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1716-77-0x00000161F8E00000-0x00000161F8FC5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1716-50-0x00007FF9264B0000-0x00007FF9264C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1716-51-0x00000161F8350000-0x00000161F8351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-69-0x00000161F8360000-0x00000161F8362000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1716-68-0x00000161F8E00000-0x00000161F8FC5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1716-54-0x00000161F67D0000-0x00000161F67D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-55-0x00000161F8370000-0x00000161F8371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-10-0x00000161F6A00000-0x00000161F6ACB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1716-67-0x00000161F8370000-0x00000161F8371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-58-0x00000161F8360000-0x00000161F8361000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-59-0x00000161F8E00000-0x00000161F8FC5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1716-60-0x00000161F8360000-0x00000161F8362000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1716-61-0x00000161F83C0000-0x00000161F83C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-66-0x00000161F8370000-0x00000161F8371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-63-0x00000161F8350000-0x00000161F8351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-64-0x00000161F8370000-0x00000161F8371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-13-0x00007FF9264B0000-0x00007FF9264C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3356-2-0x00000000032F0000-0x00000000032F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3356-4-0x00000000033D0000-0x00000000033D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3356-9-0x0000000009300000-0x00000000093F9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3356-52-0x00000000033D0000-0x00000000033D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3356-1-0x00000000032F0000-0x00000000032F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3356-40-0x0000000009300000-0x00000000093F9000-memory.dmp

      Filesize

      996KB

      Download