Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

0a529cf003...26.exe

windows7-x64

10

0a529cf003...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2023, 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe

  • Size

    442KB

  • MD5

    373c6219efb1bc65fd477fa1645ca12c

  • SHA1

    aef11fedbb51cb4994c92c83e7bbe7d099fd2f6a

  • SHA256

    0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726

  • SHA512

    cf2f50e84b1f49e032d23027b2b4843bbc592843ef83a2bb0c376e5892d75a24ec8089d1f61a5458bd1ba0cf2782b6ac4557a427cd13e76e7c481b1a973c7346

  • SSDEEP

    6144:OZmsQhU+bZVx5rLKJzu6gLP44Zw4DydqFncEOkCybEaQRXr9HNdvOaXqL:qUF30Ngj44e4DyyOkx2LIaXqL

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\Program Files\dvdupgrd.exe
        "C:\Program Files\dvdupgrd.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe
        "C:\Users\Admin\AppData\Local\Temp\0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\0a529cf0035c3e4d174545dbc4eaa697a64a2298acd902740c91ae26ecb63726.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:288
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\dvdupgrd.exe
      Filesize

      25KB

      MD5

      75a9b4172eac01d9648c6d2133af952f

      SHA1

      63c7e1af762d2b584e9cc841e8b0100f2a482b81

      SHA256

      18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

      SHA512

      5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab45E8.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar6F3C.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • \Program Files\dvdupgrd.exe
      Filesize

      25KB

      MD5

      75a9b4172eac01d9648c6d2133af952f

      SHA1

      63c7e1af762d2b584e9cc841e8b0100f2a482b81

      SHA256

      18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

      SHA512

      5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

      Download Submit

    • memory/420-99-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/420-42-0x0000000000760000-0x0000000000763000-memory.dmp

      Filesize

      12KB

      Download

    • memory/420-44-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1200-19-0x00000000029B0000-0x00000000029B3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1200-17-0x00000000029B0000-0x00000000029B3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1200-84-0x0000000006C70000-0x0000000006D69000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1200-18-0x00000000029B0000-0x00000000029B3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1200-20-0x0000000006C70000-0x0000000006D69000-memory.dmp

      Filesize

      996KB

      Download

    • memory/1200-21-0x0000000006C70000-0x0000000006D69000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2192-0-0x0000000001150000-0x00000000011C1000-memory.dmp

      Filesize

      452KB

      Download

    • memory/2192-83-0x0000000001150000-0x00000000011C1000-memory.dmp

      Filesize

      452KB

      Download

    • memory/2644-104-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-26-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-40-0x0000000001C80000-0x0000000001D4B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2644-38-0x0000000001C80000-0x0000000001D4B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2644-25-0x0000000000120000-0x00000000001E3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2644-96-0x00000000007F0000-0x0000000000818000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2644-32-0x0000000000090000-0x0000000000093000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2644-97-0x0000000001C80000-0x0000000001D4B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/2644-98-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-39-0x000007FEBE3C0000-0x000007FEBE3D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2644-101-0x0000000001DF0000-0x0000000001E35000-memory.dmp

      Filesize

      276KB

      Download

    • memory/2644-102-0x0000000004600000-0x00000000047C5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2644-103-0x0000000001F50000-0x0000000001F51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-94-0x0000000036D50000-0x0000000036D60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2644-105-0x0000000004600000-0x00000000047C5000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2644-108-0x0000000001DF0000-0x0000000001E35000-memory.dmp

      Filesize

      276KB

      Download

    • memory/2644-109-0x0000000004600000-0x00000000047C5000-memory.dmp

      Filesize

      1.8MB

      Download