Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0dbae335ce...bc.exe

windows7-x64

7

0dbae335ce...bc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    86s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dbae335cec36530adfeedf92be6bcbc.exe

  • Size

    184KB

  • MD5

    0dbae335cec36530adfeedf92be6bcbc

  • SHA1

    992aa3f8030e49c173d8e938b7e90389edc446ee

  • SHA256

    2c9cfc5a90131a5ea58a412c4f58994f739110f041325cfed3a80d482f5345fa

  • SHA512

    8a17300468ce35beae3de2448e99b8d83310d64be14d12a2deb58a2d26275e5ca416c76eb81b695927d71fd0b36a3e49a44a6a0d67b33fc9c743b8e65d1b1e99

  • SSDEEP

    3072:1YeYFacsza2Pgl+AHcz+z85Z0Lp5+Bh+pMo0y7yxLyBIjXAGqC:1YepGQgsBK85Z0LpYBhIExLIC

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Unexpected DNS network traffic destination 16 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dbae335cec36530adfeedf92be6bcbc.exe
    "C:\Users\Admin\AppData\Local\Temp\0dbae335cec36530adfeedf92be6bcbc.exe"
    1⤵
    • Registers COM server for autorun
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      PID:2640
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1380
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \systemroot\Installer\{db46509d-5d12-1bd0-d886-080973d781e7}\@
    Filesize

    2KB

    MD5

    da7cbac35edf7d4ed2786efa75091076

    SHA1

    3fcc4c6e602ee965ece471f6bc41be92f3ef6db4

    SHA256

    0633a273c6c6130a6762f98f25b1967457f9ecc850109a8cd8c14ea90ea0be86

    SHA512

    40fcf386bc6e428e5aa20ca4de180f11b669d6983d970aba0810e9de111f82bc737c03d3135366068aba1d2d4dab195cabacaaa0b8ca36082f2cf6dc506e64bc

    Download Submit

  • memory/480-25-0x0000000000120000-0x000000000012C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/480-31-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/480-39-0x0000000000130000-0x000000000013C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/480-37-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/480-29-0x0000000000120000-0x000000000012C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/480-33-0x0000000000130000-0x000000000013C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/480-30-0x0000000000130000-0x000000000013C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1380-16-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1380-17-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1380-15-0x0000000002E80000-0x0000000002E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1380-10-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1380-6-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1380-3-0x00000000004D0000-0x00000000005D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1380-14-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2552-1-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2552-2-0x00000000004D0000-0x00000000005D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2552-34-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2552-35-0x00000000004D0000-0x00000000005D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2552-38-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download