Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

20833aa528...2e.exe

windows7-x64

6

20833aa528...2e.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20833aa5282fcaf90991860840e0132e.exe

  • Size

    3.0MB

  • MD5

    20833aa5282fcaf90991860840e0132e

  • SHA1

    ecedaee3b1bab591d56fda784a7e04d897667ba5

  • SHA256

    e43588a87c7f97bf49f18424bd7004c66106250169602d55f48099a0b1b740be

  • SHA512

    03745631207362c9c487bb5c26a662e258a309195f8cf2524b545dd63ae12729db48ab381482b898311c4a3bb6c55ee6003d2bf851a39cb858dc44bf01910c29

  • SSDEEP

    49152:Qpsz6mevZ7dTEUT9tm7+IHed5TGsVZKkuQTCr3k6cesd:Q06TBE4tPfTGOMkue

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20833aa5282fcaf90991860840e0132e.exe
    "C:\Users\Admin\AppData\Local\Temp\20833aa5282fcaf90991860840e0132e.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks.exe /Create /TN "PCMAV" /XML "C:\Users\Admin\AppData\Local\Temp\PCMAV.xml" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN "PCMAV" /XML "C:\Users\Admin\AppData\Local\Temp\PCMAV.xml" /F
        3⤵
        • Creates scheduled task(s)
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks.exe /Create /TN "PCMAV" /XML "C:\Users\Admin\AppData\Local\Temp\PCMAV.xml" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2528
  • C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "PCMAV" /XML "C:\Users\Admin\AppData\Local\Temp\PCMAV.xml" /F
    1⤵
    • Creates scheduled task(s)
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PCMAV.xml
    Filesize

    1KB

    MD5

    29d09bc5ac45dee5d540a66d846b0855

    SHA1

    4b0a7afd03a9db77428fc385a94f7e2cc85064aa

    SHA256

    e30e591c1f40284b513eeb56c371aab55df76f838d0fef3bc368da6d62680820

    SHA512

    6d013040b73f58beeb39230af5de191ee9c6bae48dea3b22570eae10fe2acc1621b4af788f901e1182678709ceaf01072726490169b7ff9cf4d654a2dc66bb08

    Download Submit

  • memory/2240-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-10-0x0000000000400000-0x0000000000761000-memory.dmp

    Filesize

    3.4MB

    Download