Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

02e9f7efac...ce.exe

windows7-x64

7

02e9f7efac...ce.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e9f7efaccb329cbee9944055f450ce.exe

  • Size

    384KB

  • MD5

    02e9f7efaccb329cbee9944055f450ce

  • SHA1

    3b2db2099ae94a59ba4c7b73fef61e3b7d2b714a

  • SHA256

    32e7c5ef311dfe167dc4d6ac7504414794fe586b09dc4e71bf8b8c0b9e73854e

  • SHA512

    6648d31b7dfdf01f11b90f8c56e1584d2b189d1de1d3d8e964f871d8fb9f87075497bace44d0113d0329dc3ee689376ffa9b0e514c819a24617130bd9328d431

  • SSDEEP

    6144:U8HdNRrsK+rjtphMYgKVIsabPghrNy0v2jzwoR2k5gVvut9E3QyU6:UkdNqKspYFzTgjy0v2jEowwgputWAyU6

Score
7/10
persistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e9f7efaccb329cbee9944055f450ce.exe
    "C:\Users\Admin\AppData\Local\Temp\02e9f7efaccb329cbee9944055f450ce.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 680
      2⤵
      • Program crash
      PID:1144
    • C:\nE21703JiPcC21703\nE21703JiPcC21703.exe
      "\nE21703JiPcC21703\nE21703JiPcC21703.exe" "C:\Users\Admin\AppData\Local\Temp\02e9f7efaccb329cbee9944055f450ce.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 672
        3⤵
        • Program crash
        PID:1292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4936 -ip 4936
    1⤵
      PID:3080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2156 -ip 2156
      1⤵
        PID:4476

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\nE21703JiPcC21703\nE21703JiPcC21703
        Filesize

        208B

        MD5

        556625a37537239c6e2d45da6c4180d0

        SHA1

        c61f4242634130addd6284353d8d286bb87ab97a

        SHA256

        81d9d7c125c4e1f440a028811f537834c2ae1023623f09b332a46a24d2e92a66

        SHA512

        ca7d1981746a7846a3731dca4a21783e6a87bc1f49dd6e0bf94e00a05451d53d91ca3c4fe8da2cc6378c512ed3bce3d33baa3bb317a4ec0f941c8c5a60e2574f

        Download Submit

      • C:\nE21703JiPcC21703\nE21703JiPcC21703.exe
        Filesize

        384KB

        MD5

        ba1dd9dab5dcbe2eee77eafd7ae56372

        SHA1

        6848bd6ef9d8cacbc75d383b57ed47bbfa6a1d13

        SHA256

        402cf5a0585d8ed760da27e8cb3568f54640c6c0cf4eb3739f6ceccfb23080f4

        SHA512

        049c7945ed2635ebdcb9f7eb38e643676ca1a82ed906b47b45433028e60c67ebf5df2142cf797d0a34544456f77660f2cd28c4140a12ce912ada454926fd3147

        Download Submit

      • memory/2156-90-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB

        Download

      • memory/2156-91-0x0000000002100000-0x0000000002101000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2156-177-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB

        Download

      • memory/4936-0-0x0000000000530000-0x0000000000533000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4936-7-0x0000000002230000-0x0000000002231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4936-3-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB

        Download

      • memory/4936-172-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB

        Download

      • memory/4936-211-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB

        Download