Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0e2892c5f3...3d.exe

windows7-x64

10

0e2892c5f3...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e2892c5f3d3558d6575b729b24caf3d.exe

  • Size

    504KB

  • MD5

    0e2892c5f3d3558d6575b729b24caf3d

  • SHA1

    ec36cbd5cbecdf811ad51eac29d378d9da3d6aae

  • SHA256

    2070bf8a21fe853a0cba4114fcbba960dacf6f694404daaac1ae32f9606af6ca

  • SHA512

    c96561c00a630f88573c6dd4570b047df74529f47e07d02a330cc7f0c9d92f6f6753718d8d9318801e78a8bd908adabbbad71f494d29d55c2d674fbfcf1170ac

  • SSDEEP

    12288:w6+cKLjieaEKyrV8jh9tLI9hBjC9mA/a/hjXgrtxrlYRyHNKr4VrFBKhv7RHKzkm:wIp

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1316
      • C:\Users\Admin\AppData\Local\Temp\0e2892c5f3d3558d6575b729b24caf3d.exe
        "C:\Users\Admin\AppData\Local\Temp\0e2892c5f3d3558d6575b729b24caf3d.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\system32\CMD.exe
          CMD.exe /k start %TEMP%\0.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Users\Admin\AppData\Local\Temp\0.exe
            C:\Users\Admin\AppData\Local\Temp\0.exe
            4⤵
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Maps connected drives based on registry
            • Suspicious use of SetThreadContext
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2800
            • C:\Users\Admin\AppData\Local\Temp\0.exe
              "C:\Users\Admin\AppData\Local\Temp\0.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1712
        • C:\Windows\system32\CMD.exe
          CMD.exe /k start %TEMP%\1.jpg
          3⤵
            PID:2844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        68KB

        MD5

        edb919688d6206269e4b5b62b50c2752

        SHA1

        09eb33ecb150221478743db193a3b1bcc56062a5

        SHA256

        64331574f2120abeca9a39e9fe49e2165be57f133cd5cfae3ee6a25ab2776bb1

        SHA512

        2b05afb72b98d60d9466539e6bead2c32612a9102ef3203eabad3529ad2f7caeb4d7e38d5608f7acfb64a069577c513e314905bea15e7fa7551aeaa11fe0339b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        111KB

        MD5

        bd1b6f19ab9d41eee1fe1307c52257ba

        SHA1

        fbbe386e2b923b7e2fb33b827f3e7b6b2edc9571

        SHA256

        34baea581fa95c84593fb1e7e814f3791ce26176129a8b63419b54ccb126c221

        SHA512

        e162b01bb2e67727e33432bf3e8ed0fed3fa24b022a9a5501a20e82da6f3641d2d64956fbbea3e67a4276131d68075b91604d8fe1ba88fb0fe680b994689a5f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        88KB

        MD5

        6542a2d62fa284535133408d45603f3e

        SHA1

        d1ca66451ab4eba036a20a542938890b178f6a2f

        SHA256

        ea57a655a70a8b65e6db63e985ab703e74294e63df9f0790ef762a539ec7ff47

        SHA512

        dded096195638ee566615f1cf39428702a3e158c1cbb18ddcc989c3f0c29914d163450f615173cc716d305ed9193f77589c7efd0e4948c61026c25dee26fdc99

        Download Submit

      • \Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        87KB

        MD5

        0a6834800a333bc5780eefe126621cf4

        SHA1

        4f82f438dde1d2adb1becaa0c79ca6a85da1fbc3

        SHA256

        70159c0185b7bcef6a29f985e68b8c96b5844f4d081ffe433ee799aa45bdbadc

        SHA512

        0ecce4d2af6122dbbec3131a2d10aec7ca62dc8b634abbdd2d214295315bc29918c7f3a007ecaca1b346b871011737ac1d24402aa3903e1c0b463869f9e935be

        Download Submit

      • memory/1316-75-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1316-71-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1712-70-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1712-69-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1712-67-0x0000000000400000-0x00000000004083A0-memory.dmp

        Filesize

        32KB

        Download

      • memory/1712-65-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1712-74-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1712-85-0x0000000000400000-0x00000000004083A0-memory.dmp

        Filesize

        32KB

        Download

      • memory/2652-3-0x0000000000A40000-0x0000000000AC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2652-4-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2652-2-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2652-9-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2844-60-0x0000000000580000-0x0000000000590000-memory.dmp

        Filesize

        64KB

        Download