Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2018dd2157...53.exe

windows7-x64

10

2018dd2157...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2018dd2157d9dcdefeadf3d9d8acc853.exe

  • Size

    157KB

  • MD5

    2018dd2157d9dcdefeadf3d9d8acc853

  • SHA1

    d0551d394beb5cb762e54a8d2864fe11e3d7d4a9

  • SHA256

    8fc81ee53904ca3ceadc40f2dbb7b2d0cfc926b0408d06effcd53b30a3711aba

  • SHA512

    2c9ec5ca045b2886126286e28f5d0bf1cf725f3e5e440830b44056de68248cfdb79eb70aa6bfdc20a0a65946355fe583039cb0c3a73fdaddb433a0272e4f77ae

  • SSDEEP

    1536:+atKGMfWqzs7hWvNljt7XdzchJzpVzNsysqwhqYKGQuObviT+DkNBvd7ZqrKC8ti:+ewfWqA7kvN5phKDBKyugwfNv1bfMiu

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2018dd2157d9dcdefeadf3d9d8acc853.exe
    "C:\Users\Admin\AppData\Local\Temp\2018dd2157d9dcdefeadf3d9d8acc853.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 544
      2⤵
      • Program crash
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    157KB

    MD5

    c66b3197c2349bcf5f0b7e9eb0c18df4

    SHA1

    20b708ca5d26b53cd85cf2666a07d5a64081d318

    SHA256

    e8d17e84d7d2fcbd86ab85d5b281f9f86a0fe36310f135b0efec6e6b4a1a5906

    SHA512

    216ca0a4fdc0d40a1cef1871e3b3ef4fd236c10221f9d99c0c0a4eaa16a4e869a4b005dc9354dd0565fd52f962679454168dd392eb4aee045379b21a7b99b5db

    Download Submit

  • memory/2472-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download