Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

aadb797f55...00.exe

windows7-x64

10

aadb797f55...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/11/2023, 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe

  • Size

    2.0MB

  • MD5

    2f3353e9de4535e858254b2f9ebe0e70

  • SHA1

    beb0fe2c7a977abf0f292477466be291fca80a9a

  • SHA256

    aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00

  • SHA512

    909bb4cd1108fefed5bdf68af29eb0fbc5584f6c9ce7b7a15790af2c24ac2898ab132e7e95b7ba636c131c645e8aee95ef749dc24f7f05c2eb3808ab6c2146d7

  • SSDEEP

    49152:8Us4vWvQznXPwh11sXIAyT9tN93ul/lDxqqqoqqqdT:ls4iKXPs1sByTNT

Score
10/10
upxvmprotect

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:624
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:340
      • C:\ProgramData\newdev.exe
        "C:\ProgramData\newdev.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4332
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
        "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:3320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\newdev.exe
      Filesize

      70KB

      MD5

      53e90f70d88430e8e0ae94cb7c9f3dfe

      SHA1

      bae36fe3c2921879426f2cb313630d525458581f

      SHA256

      4500d5b98ef4f901f700a60f9643ac6e31034ff3a72918b68025c7b2ef684f90

      SHA512

      70c4895732c64a45db1c946a9fdbd8d7b6c065f3f1f8831d17da0a98872eeabe96f0cf064c7732e513378812cd956cea80c33759447a60c136b3b4c5d61c75e7

      Download Submit

    • C:\ProgramData\newdev.exe
      Filesize

      70KB

      MD5

      53e90f70d88430e8e0ae94cb7c9f3dfe

      SHA1

      bae36fe3c2921879426f2cb313630d525458581f

      SHA256

      4500d5b98ef4f901f700a60f9643ac6e31034ff3a72918b68025c7b2ef684f90

      SHA512

      70c4895732c64a45db1c946a9fdbd8d7b6c065f3f1f8831d17da0a98872eeabe96f0cf064c7732e513378812cd956cea80c33759447a60c136b3b4c5d61c75e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\83472e39.tmp
      Filesize

      14.1MB

      MD5

      b66fb2f31bbc7538ade44d5f5d57675f

      SHA1

      30c2444dc89cbd6f099d21f00d432ade619ad13d

      SHA256

      3b09106f7813ab3e5b7350d269446298291a2722bdf65f705c749725c11fc2a5

      SHA512

      631307a706880c9fa87dc676169f6130c8150d266823dd7e446a29ea0726b9c81d1944f2cbdb3421b81a7770be90231dbc766aaa3d2cec16265c6f8249f47580

      Download Submit

    • C:\Windows\2KbCtAsLRoi.sys
      Filesize

      165KB

      MD5

      23d9779ad77df5bd01796cfa5bee2808

      SHA1

      b3de4b2e262215618afd0f97b1ea88a13e7c89b6

      SHA256

      b628ddf5204961e6f076f0cc6cedeba1e9bb1b0bb4e67d864acb7bec5492e341

      SHA512

      637c9530db131399a71f139d7eb299c2996a6e6b7efc4318b2c5046e51a621694673e5ac1fcbf825c2c70db2bad43dcc08797597fae7d498f12183e3159af93b

      Download Submit

    • C:\Windows\7l0H28ABfv.sys
      Filesize

      165KB

      MD5

      a9147d9136c83671340463124184052c

      SHA1

      e6cb150312bc325ff89030b75ba9c5da9bd24760

      SHA256

      ca5e6188650898e3481ba599a737bb8bf3ad23e2bfffb15a34e55b5fc3e36188

      SHA512

      9aa4f70a8399a9e56ceedf418e77d1cc731a05fa53d25667604f11500211c643486ceb79b6f8ddcda52955d7da0083838d103992ae77770695aba1b7eb2cd009

      Download Submit

    • C:\Windows\ITDXVDtKLV3pFw.sys
      Filesize

      165KB

      MD5

      240fe254754a2fe23cfb1dfb7ab292d9

      SHA1

      dd4945ee3955c1bb1e2a54aa13a235b41ffae57a

      SHA256

      466fdedb0a54e3502f3d1a8cac0646729c55f17a808fcfb51c8cb489012fa978

      SHA512

      5a418e34ba794c11203a174e47f1a822b42efd452d3bcf1a6e656f6b970a08f1e4b42d1aab08866f5b08348114343803a8baa47946d725bfdde069757099a739

      Download Submit

    • C:\Windows\NCSBDerxVyp2g.sys
      Filesize

      165KB

      MD5

      275f6a2f91c52c28b8a9b7ea5830d2da

      SHA1

      466e7d15b447c07260ea89cd7c3b3095f37c22d3

      SHA256

      ea7e5cd23731b093722555d9d351dfe9adf4084612d26fc5319cc7dfe9dda25e

      SHA512

      4096662d5ad5e937a4db959517c64d1695485b4dcae9027cf1c1841b5cc93be96d37bd22dea8a61b14d729c35d68505fd2e857c17fbd9bd0f7996c8c40261d0e

      Download Submit

    • memory/340-314-0x000002561B1D0000-0x000002561B1D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/340-321-0x000002561B090000-0x000002561B1B3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/340-313-0x000002561B090000-0x000002561B1B3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/340-316-0x000002561B1E0000-0x000002561B1E4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/624-58-0x0000024779C80000-0x0000024779C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-18-0x0000024779C80000-0x0000024779C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/624-15-0x0000024779C30000-0x0000024779C33000-memory.dmp

      Filesize

      12KB

      Download

    • memory/624-17-0x0000024779C40000-0x0000024779C68000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3208-312-0x0000000007C60000-0x0000000007C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-311-0x0000000002CD0000-0x0000000002CD3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3208-315-0x0000000008340000-0x0000000008341000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-52-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-0-0x0000000002C80000-0x0000000002C83000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3208-317-0x0000000008B30000-0x0000000008C53000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3208-318-0x0000000008CF0000-0x0000000008CF4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3208-48-0x0000000008240000-0x0000000008337000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3208-307-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-64-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-303-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-322-0x0000000008B30000-0x0000000008C53000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3208-286-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-4-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-3-0x0000000008240000-0x0000000008337000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3208-1-0x0000000002C80000-0x0000000002C83000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4332-47-0x000001CE7F880000-0x000001CE7F881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-104-0x000001CE021D0000-0x000001CE021D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-103-0x000001CE023B0000-0x000001CE02575000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4332-109-0x000001CE033D0000-0x000001CE034F3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4332-73-0x000001CE02330000-0x000001CE02331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-74-0x000001CE7F8A0000-0x000001CE7F8A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-71-0x000001CE7F8B0000-0x000001CE7F8B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-62-0x000001CE022D0000-0x000001CE022D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-66-0x000001CE7F880000-0x000001CE7F881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-67-0x000001CE7F890000-0x000001CE7F891000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-304-0x000001CE04440000-0x000001CE04441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-61-0x000001CE033D0000-0x000001CE034F3000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4332-59-0x000001CE023B0000-0x000001CE02575000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4332-310-0x000001CE04440000-0x000001CE04441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-57-0x000001CE7F230000-0x000001CE7F231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-53-0x000001CE7F120000-0x000001CE7F1EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4332-51-0x000001CE7F8A0000-0x000001CE7F8A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-50-0x000001CE7F8B0000-0x000001CE7F8B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-49-0x000001CE7F890000-0x000001CE7F891000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-46-0x00007FF9D37D0000-0x00007FF9D37E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-9-0x000001CE7F120000-0x000001CE7F1EB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4332-319-0x000001CE036D0000-0x000001CE036D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-320-0x000001CE04430000-0x000001CE04431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-12-0x00007FF9D37D0000-0x00007FF9D37E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-13-0x000001CE7F230000-0x000001CE7F231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4332-10-0x000001CE7F120000-0x000001CE7F1EB000-memory.dmp

      Filesize

      812KB

      Download