Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

101a1f29a5...b6.exe

windows7-x64

7

101a1f29a5...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    101a1f29a5090087fe35a759eb7c94b6.exe

  • Size

    14.9MB

  • MD5

    101a1f29a5090087fe35a759eb7c94b6

  • SHA1

    45f7cc9f39e22a6cc37fad0b8480692bf4124c36

  • SHA256

    2f376a89c28d4002957d19e1a5945724ccc842c0b9d3fa619f42657ffc910fa6

  • SHA512

    fa2f942e733fce3b7861fff2d07cec01105a5ddf53fba9498aa385217e060ba87cb87159469aa66e68d86470223f99f97b4483ad368d08fb587af8e06ed6410a

  • SSDEEP

    393216:8RjeAy6tGbfjw3r+2S7avZ1vRK49ECOQIMnc:wLtGSaL7arj9EWIuc

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\101a1f29a5090087fe35a759eb7c94b6.exe
    "C:\Users\Admin\AppData\Local\Temp\101a1f29a5090087fe35a759eb7c94b6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "setup.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist_x64.exe
        vcredist_x64.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Windows\Temp\{6D3BED0F-1583-4B03-B2FA-C32CDF5B6050}\.cr\vcredist_x64.exe
          "C:\Windows\Temp\{6D3BED0F-1583-4B03-B2FA-C32CDF5B6050}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist_x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=564
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.bat
    Filesize

    37B

    MD5

    ee5b968cbf9dd2ca42239b02acbc2db7

    SHA1

    985e71cc0b32a6b6288ddd04bda7f69b0ba4e0cd

    SHA256

    3453ba6b867ab90d8ca0b07150742bad54f4b99a2e0c7b540ce75f9d6ba993a8

    SHA512

    b3c6317e760b1a62a1564bf78d72985cb0ba0b19a243ff0777c4e72f66c2f2c90538b75b183f68806d7fd6d259935de2598cbee41070d4d6f3d86ea552671694

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist_x64.exe
    Filesize

    13KB

    MD5

    34342ca7400e67066ef53047a8b3d057

    SHA1

    b19eff8ddcb980b8df51daca5b51a6951605b528

    SHA256

    9e7548ef95d88b0317505317f77c0336fd25756b85dc5e3c1319e3a0550db13d

    SHA512

    222bdca63f140476d33b1b1fde742a87e59d90e7db5e2f09e6fa2fcbe10235eef08c11847c496a907e0af9cd16c58ca615edef61e08625d2183488fecfeb0584

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist_x64.exe
    Filesize

    83KB

    MD5

    b6cf0f08a7c84d953d43e1f6066dc344

    SHA1

    220167b2a8bcd64b772ac957ab975788f92f12ba

    SHA256

    aabfeb3bee50b9f5175bd3c6a796bc1b992e00eea77321f81a031350e81d4a0c

    SHA512

    d3139d7d3f176b42427b80a4667187e3e9312bef81a580fb7ca39558af951d9f04e1a646ee59b3b1a2918f2fa24a095913723d8479bb409940ed2bf186af225b

    Download Submit

  • C:\Windows\Temp\{6D3BED0F-1583-4B03-B2FA-C32CDF5B6050}\.cr\vcredist_x64.exe
    Filesize

    10KB

    MD5

    1637377163637f81780099162ec13565

    SHA1

    15e0bf8c584e96ec7267a8612873f3340b372ccb

    SHA256

    74358a02aa6f2542115dffac04cc2cc1d2805751b9f8a37028edd963fc58e2a9

    SHA512

    28e892d64e411ecc50f00262bf3b913ce6241078c47d2b318d9375fe47cb3ebd99c26ef80c129359ee0f377417ad80cde5de45dc3440eb2ae4e4660baaedecf5

    Download Submit

  • C:\Windows\Temp\{6D3BED0F-1583-4B03-B2FA-C32CDF5B6050}\.cr\vcredist_x64.exe
    Filesize

    73KB

    MD5

    d719841fc2471d6065a55b88f56ec68b

    SHA1

    49f23187282b0ef6b7c2248169e17083b35a3648

    SHA256

    b2e096d873e31acf9f82a655999941bf4175d7a7461cac1d4e7a32548e7260a2

    SHA512

    9c071eb56660701c3cdf71ef9dcb16dfb42bf6f1d2121a02430f3a8cb87baf220f3bcb1eccc45502bad183460472dd98036833545e3ccca4fde1b8a63f4de812

    Download Submit

  • C:\Windows\Temp\{852E1C61-2F14-4219-A31A-29D3994353C3}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{852E1C61-2F14-4219-A31A-29D3994353C3}\.ba\wixstdba.dll
    Filesize

    37KB

    MD5

    787c9c04b02e02d57db54afb33f93b5c

    SHA1

    01baa85a35dc7699ee97df666ba54f17459fdc31

    SHA256

    1eed383d87e3d2bfa0319f1df01fb22877a206b14b424cdbf452a0fe5024ad93

    SHA512

    682d0c1b0d8aecb6059c7c1bc52be11acd45615b72db35186dab9cfe4fef367fef11e70cf919ceca46dda75998df54127ccf1386b8da49ab6a60510d21e601eb

    Download Submit