Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3f68ee50da...fb.exe

windows7-x64

10

3f68ee50da...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f68ee50da0edb5ed82899a9702060fb.exe

  • Size

    151KB

  • MD5

    3f68ee50da0edb5ed82899a9702060fb

  • SHA1

    a2d0559f22acccda76da1729153b34d4e4760378

  • SHA256

    49a0a3da37167bdd598d738e5fd3b1391bbe00b803cf3fc6ab126b42e3047013

  • SHA512

    8b854ab64be33cdba75a2ba32ca61519a03f4f05cb6315e9ed4fc46eaf546cd0f4c9e78e78ab665a462f74e09323bb9fd2f77b25a0baaf6f86c0a129d7ab7999

  • SSDEEP

    1536:uS6dkGduQeZyeuMAkByMeXEj4Zi6QC0zBV4yh1+Q1stZe0hI6PkIM7bfyqS52M9w:UkGkwepzcw1V4a+Zw4IBNGqSdm

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f68ee50da0edb5ed82899a9702060fb.exe
    "C:\Users\Admin\AppData\Local\Temp\3f68ee50da0edb5ed82899a9702060fb.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 312
      2⤵
      • Program crash
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    152KB

    MD5

    321c9c92901c2892772e4c08dbbc7dbf

    SHA1

    eb0a7f88f7085de61433326f5606595d90c2c44a

    SHA256

    b6bd1cb2c442122d19fe9e2d0604c1030296496fe15aecc42c49e96a36bd9efc

    SHA512

    c2ee1ebd97d33ec12a77944966b08d51710d6cddbe857d3223a258c43c2cf7f6d409fd9aff6f9d483308c8e0bf512c038aaeb0ada31cbf60a84840ef21845771

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    152KB

    MD5

    dfe5d2e042226af576fcd911a66dd46c

    SHA1

    c2b6652871bb5af0989ac64ee8843eb57f70409d

    SHA256

    b7f3d33dfd613cb48a72603d56658b23aaf09133e066bd8d808735fe6bc6713d

    SHA512

    1e727aaebf07dbff13ab16001f26b6f4460b58a7cf4d9337e3b32eefef4a85371cd653fbe2fd63429d40119567830bc3a869afea8477c94dd6767ab003127ee9

    Download Submit

  • memory/3048-0-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download