Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0b0856fc81...8c.exe

windows7-x64

7

0b0856fc81...8c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b0856fc81c2a96349eeca0293cc478c.exe

  • Size

    288KB

  • MD5

    0b0856fc81c2a96349eeca0293cc478c

  • SHA1

    a7e21b0a6b3ee68cd7047db2e5fb2b905ab12c30

  • SHA256

    a213a6237dad3d929c49cc539cd20c5c377858d6e023e2465436b68f532c799a

  • SHA512

    a2debf4589e4c217b89fab45bd5d5fe57e63c6c4cd01da60c0dfec86f16164cd2494f668f59e2f08638fb3b1ba6cc1d5ac71833564213fabb113b7da0ce8ea4d

  • SSDEEP

    3072:u0Kj5IquTkIpR7XkL4U+7cAAUxuzVQkZVJZDFFWTWodteRzRLd59xyLejRIa:B+DI/KH+tBkZbZDfme9LMI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops file in System32 directory 32 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe
    "C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe
      "C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe" c:\users\admin\appdata\local\temp\Program.exe
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\WinSec.exe
        C:\Windows\system32\WinSec.exe 504 "C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\WinSec.exe
          "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe0
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\SysWOW64\WinSec.exe
            C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:672
            • C:\Windows\SysWOW64\WinSec.exe
              "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Windows\SysWOW64\WinSec.exe
                C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1484
                • C:\Windows\SysWOW64\WinSec.exe
                  "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exem
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2876
                  • C:\Windows\SysWOW64\WinSec.exe
                    C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2056
                    • C:\Windows\SysWOW64\WinSec.exe
                      "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:840
                      • C:\Windows\SysWOW64\WinSec.exe
                        C:\Windows\system32\WinSec.exe 532 "C:\Windows\SysWOW64\WinSec.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:1464
                        • C:\Windows\SysWOW64\WinSec.exe
                          "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          PID:1116
                          • C:\Windows\SysWOW64\WinSec.exe
                            C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:2400
                            • C:\Windows\SysWOW64\WinSec.exe
                              "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe`
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              PID:2984
                              • C:\Windows\SysWOW64\WinSec.exe
                                C:\Windows\system32\WinSec.exe 528 "C:\Windows\SysWOW64\WinSec.exe"
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:2372
                                • C:\Windows\SysWOW64\WinSec.exe
                                  "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exeZ
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  PID:2776
                                  • C:\Windows\SysWOW64\WinSec.exe
                                    C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2736
                                    • C:\Windows\SysWOW64\WinSec.exe
                                      "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      PID:2612
                                      • C:\Windows\SysWOW64\WinSec.exe
                                        C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2576
                                        • C:\Windows\SysWOW64\WinSec.exe
                                          "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          PID:2504
                                          • C:\Windows\SysWOW64\WinSec.exe
                                            C:\Windows\system32\WinSec.exe 524 "C:\Windows\SysWOW64\WinSec.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:1540
                                            • C:\Windows\SysWOW64\WinSec.exe
                                              "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe0
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              PID:828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WinSec.exe
    Filesize

    167KB

    MD5

    bc70a6626e5d7cbb8b7035807d222540

    SHA1

    598581fc3eb10ab87a84353ff578d5e79296e620

    SHA256

    72d0e4f055966a0444cfb872abb76433c24728f8dc501beaf872bc57d2de9f26

    SHA512

    b66e82fa619e6db4bd8d636067a3ab4cbbcca90ab1cec1eb7bd2360e8cba633fe43e3ff9c08a23fa7f52ac22233aefdbf9db1b59438565d6e6ef69229696ebae

    Download Submit

  • C:\Windows\SysWOW64\WinSec.exe
    Filesize

    71KB

    MD5

    bc698fbb1e724decc395a43c2a3fc331

    SHA1

    330c6c62934df8c7d52f6d1142eebc5243b8f24d

    SHA256

    800512482a707eff6e1df8d4e24fad882539078edbc868c32d46a2cccbb3f39f

    SHA512

    8d28c78cf69ed3ae7f03c32ccbb7507427d85d3b86e762914c963e995f0f0f3bd423bc5e5c8c849d3dd7aacf740f37ffed06ab2266083528c4794f93c9af9169

    Download Submit

  • C:\Windows\SysWOW64\test.htm
    Filesize

    3B

    MD5

    6057f13c496ecf7fd777ceb9e79ae285

    SHA1

    7f550a9f4c44173a37664d938f1355f0f92a47a7

    SHA256

    fa690b82061edfd2852629aeba8a8977b57e40fcb77d1a7a28b26cba62591204

    SHA512

    0601d109d0d2b0fa9c4484b4a5c94ee5ecc62ccec3bd7d99e972d18994d0e2e42f6d0fcfc41216a5ab72ee7af96d213e1c314abdde40f52731ff24c2bf8f7323

    Download Submit

  • \Windows\SysWOW64\WinSec.exe
    Filesize

    153KB

    MD5

    ca2d4809a280abdfa50334421861476a

    SHA1

    bed6bf47d8cd523693961500ef86f6c60073629e

    SHA256

    39c21277169f6481db029f69291357dd4b3cbb60346b93c27ddc12c740687e13

    SHA512

    d83b2d129514432e6612c801d08c6ca22c492cf783c52dd134e63126bd62dfef2cf55feda3791f08a98c194ee72bf8069eef5a2d5be0271060fb138d7a604d28

    Download Submit

  • \Windows\SysWOW64\WinSec.exe
    Filesize

    50KB

    MD5

    22d051a26685bae139e98d40cc295c9c

    SHA1

    cb2bfb33e6324a4ae396a1c7ba8830ff06e7ecac

    SHA256

    177ce06d84bd494512b7c44af77b9ab950017355d98d906b07f484a7857f9d94

    SHA512

    76d85efbd5c0d7d5be5ff63e877d6b39cf78eecfcd98861f940a6ef3a051ff8255c21433ea61486c0891feb2cddf3cf89702c932cd969b506152a363d3add507

    Download Submit

  • \Windows\SysWOW64\WinSec.exe
    Filesize

    288KB

    MD5

    0b0856fc81c2a96349eeca0293cc478c

    SHA1

    a7e21b0a6b3ee68cd7047db2e5fb2b905ab12c30

    SHA256

    a213a6237dad3d929c49cc539cd20c5c377858d6e023e2465436b68f532c799a

    SHA512

    a2debf4589e4c217b89fab45bd5d5fe57e63c6c4cd01da60c0dfec86f16164cd2494f668f59e2f08638fb3b1ba6cc1d5ac71833564213fabb113b7da0ce8ea4d

    Download Submit

  • memory/672-88-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/828-325-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/840-153-0x0000000002360000-0x00000000023B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/840-175-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/840-149-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1116-183-0x0000000002350000-0x00000000023A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1116-176-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1484-115-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1540-323-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1872-20-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1872-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1936-89-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1936-94-0x0000000000950000-0x00000000009A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1936-91-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1936-90-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2056-147-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2244-46-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-11-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-7-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-32-0x00000000004C0000-0x0000000000510000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2244-21-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-19-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-17-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-9-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2244-13-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2372-235-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2400-205-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2504-295-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2504-299-0x00000000008B0000-0x0000000000900000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2504-313-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2612-267-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2612-271-0x00000000004C0000-0x0000000000510000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2736-262-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2776-237-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2776-242-0x0000000002490000-0x00000000024E0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2776-266-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2784-43-0x0000000002C40000-0x0000000002C90000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2784-33-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2784-58-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2800-66-0x0000000002430000-0x0000000002480000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2800-59-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2800-60-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2800-61-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2800-65-0x0000000002430000-0x0000000002480000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2876-125-0x0000000002500000-0x0000000002550000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2876-119-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2876-120-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2876-124-0x0000000002500000-0x0000000002550000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2984-212-0x00000000004C0000-0x0000000000510000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2984-207-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2984-222-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download