Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

2985538024...6a.exe

windows7-x64

10

2985538024...6a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2985538024ccd7fbf883fc62e5f43d6a.exe

  • Size

    512KB

  • MD5

    2985538024ccd7fbf883fc62e5f43d6a

  • SHA1

    dedc59f763fa208e197a649348d5e8f452948be6

  • SHA256

    0f2111fb67cfd68f6993e7132253a9e6544402cc8cb7bf330f5144d7cdf4e9c7

  • SHA512

    ae76771018e130a7275ffe7ebda9913a2ae2b86e899d44605648b4937c12bfbd844b1a29fc713a840396f7abdcb4ca757c54b7950acddb7e8e0af36553beee65

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe
    "C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
        PID:1380
      • C:\Windows\SysWOW64\unyvtvzpmcxzz.exe
        unyvtvzpmcxzz.exe
        2⤵
        • Executes dropped EXE
        PID:4708
      • C:\Windows\SysWOW64\qmkshbgh.exe
        qmkshbgh.exe
        2⤵
        • Executes dropped EXE
        PID:4360
      • C:\Windows\SysWOW64\izxullpjzbxcpca.exe
        izxullpjzbxcpca.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1420
      • C:\Windows\SysWOW64\tvloinxpwe.exe
        tvloinxpwe.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4824
    • C:\Windows\SysWOW64\qmkshbgh.exe
      C:\Windows\system32\qmkshbgh.exe
      1⤵
        PID:960

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\izxullpjzbxcpca.exe
        Filesize

        64KB

        MD5

        d76d22b81130bc9206c7c947d7a9ea5e

        SHA1

        5956e88a6ec7949ce5a350e21703307d855f34b1

        SHA256

        b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870

        SHA512

        112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1

        Download Submit

      • memory/1380-47-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-133-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-46-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-48-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-51-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-53-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-55-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-56-0x00007FFD82510000-0x00007FFD82520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-54-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-52-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-50-0x00007FFD82510000-0x00007FFD82520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-44-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-39-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-131-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-49-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-41-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-40-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-38-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-37-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-36-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-35-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-109-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-135-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-134-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1380-45-0x00007FFDC4D50000-0x00007FFDC4F45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1380-132-0x00007FFD84DD0000-0x00007FFD84DE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2864-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download