Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

462507f254...17.exe

windows7-x64

10

462507f254...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    462507f254269c493bba5d6b953b6117.exe

  • Size

    456KB

  • MD5

    462507f254269c493bba5d6b953b6117

  • SHA1

    05a2ea36621beff172e1db99594dec2b679ea8a9

  • SHA256

    7b9a2506298ce1632a7f3233d5d83d22b89a257715204b1e64bfdf61784751c9

  • SHA512

    968722ed35e4ab6742e0de6f44407636750968a65d62ec8f88242b84eeb6dcc4204500608d05fafbb6f520623730282418aa14eff2f20cbc66a68ce38fd9bfb8

  • SSDEEP

    12288:z4ik34n1GxipPy4ZNj2mOb/DNlq41TzXe9Yv:z4ik34n15iN/5lq41Tzuq

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\462507f254269c493bba5d6b953b6117.exe
    "C:\Users\Admin\AppData\Local\Temp\462507f254269c493bba5d6b953b6117.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\u8kSVi.exe
      C:\Users\Admin\u8kSVi.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del u8kSVi.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:760
      • C:\Users\Admin\muabae.exe
        "C:\Users\Admin\muabae.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1352
    • C:\Users\Admin\dlay.exe
      C:\Users\Admin\dlay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2724
    • C:\Users\Admin\alay.exe
      C:\Users\Admin\alay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:636
    • C:\Users\Admin\flay.exe
      C:\Users\Admin\flay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3816
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 462507f254269c493bba5d6b953b6117.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
    • C:\Users\Admin\alay.exe
      "C:\Users\Admin\alay.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\flay.exe
      Filesize

      264KB

      MD5

      9b3122a0ed7ec1eb344be414036da288

      SHA1

      cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

      SHA256

      ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

      SHA512

      f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

      Download Submit

    • C:\Users\Admin\muabae.exe
      Filesize

      248KB

      MD5

      6db55c3ba8df8277df716c0835a42f22

      SHA1

      edc67cddd103f225cf48dc6861490d647ad0594c

      SHA256

      e42eb0f62db757e26a2da73e86d0557de6d4b21d8ca4c499ad3496bd0abf4bca

      SHA512

      c233ba8da0dde812da78bcb8b185d786a6760b4992516b42b5f2758d8a2a429122315b7a0deb410b76fa854c4d20b2162ad9b1985aa0726e7ee727f87a019449

      Download Submit

    • C:\Users\Admin\muabae.exe
      Filesize

      92KB

      MD5

      9f850f4e82bef45fea9483e1e868dca1

      SHA1

      bd6d9fa85598f1d67f2ca86fea26f6e2c03f16e0

      SHA256

      4963febf705be29dd5bb96b23c9ce8ce07ca8d62f2af5ca7df90f1f60c5b01a3

      SHA512

      63361a2bdb30fe45cd9d440feda69c729394e5a25e23be052863bc002d65787bf1b770f3e070d08db7b1d22353be15ea8db7b78384ed7a9bd8088c34fd6ccb05

      Download Submit

    • C:\Users\Admin\u8kSVi.exe
      Filesize

      248KB

      MD5

      76a6dee598367ca2ce4e90457622eb62

      SHA1

      067b85364f34f26292739ea3c04706335c7a9ee4

      SHA256

      2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

      SHA512

      8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

      Download Submit

    • C:\Users\Admin\u8kSVi.exe
      Filesize

      92KB

      MD5

      911d9773771430d57a8a2f4044a57d8b

      SHA1

      3cc990ffe0ae1f6d4bb85c44c1a5a706ced6cecf

      SHA256

      2d63355a3f1fdfa6c0aef1d69c9284eb240ab57350920d0b937b2b85e0d5b495

      SHA512

      70f36df90e4a47d541d56a1ba05af0ec8d310188247ba445a1a9fe99da8530f5ec14e6d2fba26d3badc43c0e5ee4b2fde9f85d62ba020f39d440ddc033370bb9

      Download Submit

    • memory/888-47-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/888-50-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/888-51-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/888-53-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4152-75-0x0000000002510000-0x0000000002511000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4152-76-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-77-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-78-0x0000000002860000-0x00000000028C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-79-0x0000000002D50000-0x0000000002D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4152-80-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-82-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4152-83-0x0000000002860000-0x00000000028C6000-memory.dmp

      Filesize

      408KB

      Download