Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0b0856fc81...8c.exe

windows7-x64

7

0b0856fc81...8c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b0856fc81c2a96349eeca0293cc478c.exe

  • Size

    288KB

  • MD5

    0b0856fc81c2a96349eeca0293cc478c

  • SHA1

    a7e21b0a6b3ee68cd7047db2e5fb2b905ab12c30

  • SHA256

    a213a6237dad3d929c49cc539cd20c5c377858d6e023e2465436b68f532c799a

  • SHA512

    a2debf4589e4c217b89fab45bd5d5fe57e63c6c4cd01da60c0dfec86f16164cd2494f668f59e2f08638fb3b1ba6cc1d5ac71833564213fabb113b7da0ce8ea4d

  • SSDEEP

    3072:u0Kj5IquTkIpR7XkL4U+7cAAUxuzVQkZVJZDFFWTWodteRzRLd59xyLejRIa:B+DI/KH+tBkZbZDfme9LMI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 20 IoCs
  • Drops file in System32 directory 32 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe
    "C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe
      "C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe" c:\users\admin\appdata\local\temp\Program.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1188
  • C:\Windows\SysWOW64\WinSec.exe
    C:\Windows\system32\WinSec.exe 1004 "C:\Users\Admin\AppData\Local\Temp\0b0856fc81c2a96349eeca0293cc478c.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Windows\SysWOW64\WinSec.exe
      "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\WinSec.exe
        C:\Windows\system32\WinSec.exe 1148 "C:\Windows\SysWOW64\WinSec.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\SysWOW64\WinSec.exe
          "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3300
          • C:\Windows\SysWOW64\WinSec.exe
            C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\SysWOW64\WinSec.exe
              "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:4360
              • C:\Windows\SysWOW64\WinSec.exe
                C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3764
  • C:\Windows\SysWOW64\WinSec.exe
    "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Windows\SysWOW64\WinSec.exe
      C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\WinSec.exe
        "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3576
        • C:\Windows\SysWOW64\WinSec.exe
          C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3860
          • C:\Windows\SysWOW64\WinSec.exe
            "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:4904
            • C:\Windows\SysWOW64\WinSec.exe
              C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2112
  • C:\Windows\SysWOW64\WinSec.exe
    "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1432
    • C:\Windows\SysWOW64\WinSec.exe
      C:\Windows\system32\WinSec.exe 1116 "C:\Windows\SysWOW64\WinSec.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1056
  • C:\Windows\SysWOW64\WinSec.exe
    "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:432
    • C:\Windows\SysWOW64\WinSec.exe
      C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:232
      • C:\Windows\SysWOW64\WinSec.exe
        "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:1660
        • C:\Windows\SysWOW64\WinSec.exe
          C:\Windows\system32\WinSec.exe 1112 "C:\Windows\SysWOW64\WinSec.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4944
  • C:\Windows\SysWOW64\WinSec.exe
    "C:\Windows\SysWOW64\WinSec.exe" c:\users\admin\appdata\local\temp\Program.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:3572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WinSec.exe
    Filesize

    93KB

    MD5

    024b929413875d51c1a2bea91171a3ff

    SHA1

    2f06085e38ff31f87c272bb376268f4f3f2fe247

    SHA256

    177573f59407151b301ee26218864ce77e882056b514223c8f98f88105ab15d0

    SHA512

    91a1471288d75548476a16a65224fb9543191e58e00e4ef7bc211b8d33ebffdc22baaaff4fd760ba078a36fe7cac39933c20ca9e262d227d928b2bc086706b48

    Download Submit

  • C:\Windows\SysWOW64\WinSec.exe
    Filesize

    288KB

    MD5

    0b0856fc81c2a96349eeca0293cc478c

    SHA1

    a7e21b0a6b3ee68cd7047db2e5fb2b905ab12c30

    SHA256

    a213a6237dad3d929c49cc539cd20c5c377858d6e023e2465436b68f532c799a

    SHA512

    a2debf4589e4c217b89fab45bd5d5fe57e63c6c4cd01da60c0dfec86f16164cd2494f668f59e2f08638fb3b1ba6cc1d5ac71833564213fabb113b7da0ce8ea4d

    Download Submit

  • C:\Windows\SysWOW64\WinSec.exe
    Filesize

    92KB

    MD5

    45a757e0c611751d9c8d8e7e8f69eb6f

    SHA1

    9e406e5e4448a405cde1f8ac2275d9ca2874c65d

    SHA256

    7193f41f2d901b362b41cd42e7ce7104632126b91aff69bfefe05a2ce3b712ab

    SHA512

    7fbc29a68edc23ea8b99922526ebc26dd9d108eb681529a55a69c29b6b2fe0e7182ae934910ff9f176e4ab96fde614eff01d81c7749077abb1944cb7974490e2

    Download Submit

  • C:\Windows\SysWOW64\WinSec.exe
    Filesize

    239KB

    MD5

    580bc449c9d52ce5f1fd7887e1ce31b6

    SHA1

    b194cfc1bd48f34863734936dc423ac1fe5f08da

    SHA256

    7270cdd3a0081ba4918fd8f53e26a2ef3be01d9574658d6960acc74098018a91

    SHA512

    7291e2db8f54a9b678327d11f2d605d30955b611095bcffa8ff5cdf2be2212bd1e5d965adb39529e3c62bb9c5c09c4a9662ff43de1fd6500793ccae9de0d1bad

    Download Submit

  • C:\Windows\SysWOW64\test.htm
    Filesize

    3B

    MD5

    6057f13c496ecf7fd777ceb9e79ae285

    SHA1

    7f550a9f4c44173a37664d938f1355f0f92a47a7

    SHA256

    fa690b82061edfd2852629aeba8a8977b57e40fcb77d1a7a28b26cba62591204

    SHA512

    0601d109d0d2b0fa9c4484b4a5c94ee5ecc62ccec3bd7d99e972d18994d0e2e42f6d0fcfc41216a5ab72ee7af96d213e1c314abdde40f52731ff24c2bf8f7323

    Download Submit

  • memory/232-158-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/432-146-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/432-143-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1056-142-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1188-30-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1188-11-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1188-9-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1188-7-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1432-130-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1432-127-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1660-162-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1660-159-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2112-126-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2240-94-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3004-32-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3004-29-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3300-49-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3300-46-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3572-175-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3572-178-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3576-95-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3576-98-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3592-34-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3592-45-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3764-78-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3860-110-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4204-28-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4360-66-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4360-63-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4460-82-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4460-79-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4540-62-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4540-51-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4696-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4696-10-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4904-114-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4904-111-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4944-174-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download