Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

041a8f8f1b...fc.exe

windows7-x64

10

041a8f8f1b...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2023, 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe

  • Size

    399KB

  • MD5

    4b24f57f224315d69492a029ed43a92f

  • SHA1

    bc9724527b74aac48a4c94f7ae7c4f83a5ee8c0d

  • SHA256

    041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc

  • SHA512

    f9526da1252c24f19159078ca4affb35edbd7d65dbfd1c6cd11d549ff9c22bd8e453f4742a11dc6ad7f6d9845806526898418f7ea13b2b5620f3af4617c91470

  • SSDEEP

    6144:YZmsQhU+bZVx5rLKJzu6gLP44ZwcDy/qF6cEOkCybEaQRXr9HNdvOapLF:8UF30Ngj44ecDyfOkx2LIapLF

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe
      "C:\Users\Admin\AppData\Local\Temp\041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe"
      2⤵
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          4⤵
          • Delays execution with timeout.exe
          PID:576
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Windows\Help\unregmp2.exe
        "C:\Windows\Help\unregmp2.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\codfk15[1].exe
      Filesize

      14.1MB

      MD5

      3acf3e8466847b7da3cb2ddd83079c22

      SHA1

      d058f4dcb913025b0a1ef5d9e87266aca62b8c8a

      SHA256

      cb4d779c782c006ed13ba4a4b11aaf31650c46f9ff8abb8771ed6bf1754cc9f1

      SHA512

      425f0516a7d401bd6459383d031b05dc52459e38599cea5afa964772897bc1dbd9ac6fc70fed1cc7b9816e149e26fe8b16cead837bf23a7a595d2e3c11fb9c7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab5A14.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8377.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Windows\Help\unregmp2.exe
      Filesize

      316KB

      MD5

      64b328d52dfc8cda123093e3f6e4c37c

      SHA1

      f68f45b21b911906f3aa982e64504e662a92e5ab

      SHA256

      7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

      SHA512

      e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

      Download Submit

    • \Windows\Help\unregmp2.exe
      Filesize

      316KB

      MD5

      64b328d52dfc8cda123093e3f6e4c37c

      SHA1

      f68f45b21b911906f3aa982e64504e662a92e5ab

      SHA256

      7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

      SHA512

      e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

      Download Submit

    • memory/420-40-0x00000000007E0000-0x00000000007E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/420-91-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-42-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1272-20-0x0000000006B30000-0x0000000006C27000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1272-19-0x0000000006B30000-0x0000000006C27000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1272-103-0x0000000002940000-0x0000000002941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-17-0x0000000002980000-0x0000000002983000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1272-68-0x0000000006B30000-0x0000000006C27000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1272-16-0x0000000002980000-0x0000000002983000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2728-31-0x0000000000160000-0x0000000000163000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2728-92-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-38-0x000007FEBD660000-0x000007FEBD670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-85-0x0000000001D30000-0x0000000001DFB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2728-86-0x0000000037390000-0x00000000373A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-88-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2728-89-0x0000000001D30000-0x0000000001DFB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2728-90-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-37-0x0000000001D30000-0x0000000001DFB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2728-35-0x0000000001D30000-0x0000000001DFB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2728-93-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-94-0x00000000046A0000-0x0000000004865000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2728-98-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-97-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-95-0x00000000044E0000-0x0000000004603000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2728-26-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2728-109-0x00000000046A0000-0x0000000004865000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2728-110-0x00000000044E0000-0x0000000004603000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2728-24-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

      Download