Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

766ee6dc58...0b.exe

windows7-x64

8

766ee6dc58...0b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    766ee6dc582d9b2d41a71682c0c1110b.exe

  • Size

    260KB

  • MD5

    766ee6dc582d9b2d41a71682c0c1110b

  • SHA1

    e0bbf07fffe3c335379b2e2c4b8c775bd9862216

  • SHA256

    774cce6d84e36ac0686ecddd48aea659b701d44d24ed0b1d9e5eb1d900832d2d

  • SHA512

    117ee59dada19fb95d097103d315658b71246f2399f0c5ec5e3708363e8976af9f26349fd2400710f85f7e1bf418e452e78ae4d479f1e2c68491122e4e61e334

  • SSDEEP

    6144:D7JyLfvkJAuZ9xqtc6sgjpCr1qT612UEqYcj9ZsaBSEV:D7wfvcAu5qJKETqnY+bs47V

Score
8/10
persistenceupx

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\766ee6dc582d9b2d41a71682c0c1110b.exe
    "C:\Users\Admin\AppData\Local\Temp\766ee6dc582d9b2d41a71682c0c1110b.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\766EE6~1.EXE" > nul
      2⤵
        PID:3536
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\e573b82.dll, Launch
      1⤵
      • Loads dropped DLL
      PID:2372
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "porting"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\e573b82.dll
      Filesize

      37KB

      MD5

      0c97c80bbc40fb49ea10ed3559769114

      SHA1

      346d96ebac84ff415c917870304d22e3d67bfe17

      SHA256

      6ebf73782516404e43ac566cdac271a232c2e4c618726bea0f67bc4b9e378ff1

      SHA512

      4a508185a6581d0511c14fdaa615dd172dd8e7d2d778d72e3b65d9fa839d360cb6d23d39fa744c8c7d0daf5d31c49653539a20db801d9a651204d4a6a8241db6

      Download Submit

    • C:\Windows\SysWOW64\e573b82.dll
      Filesize

      33KB

      MD5

      564fd6a9d402344ef7471562ffd85ac1

      SHA1

      9943ab194bef43462079c64efb422935a035d0d2

      SHA256

      b06806a82360ba94ee11b5f3b55911640d9ea7847c7e5c588fec49e9c247a050

      SHA512

      1e68734c1c1dbb05680ee9c1df7dd0600354592a1f8ffacef9d5f38beaa5356d0bfbd79f01c00bb24416d0c12d6c9e046f2a9168cfe041d31626e5ac7fbfcac6

      Download Submit

    • C:\Windows\SysWOW64\e573b82.dll
      Filesize

      47KB

      MD5

      b85ceab9b66087af489c605cde59c588

      SHA1

      efd3c37ca4dbd3c0e8aa7a71683fad1274e94fe3

      SHA256

      d6b25a7733a90a718e7331fb6c5354765586dc9b5f950d0e38f69b19005d0d7a

      SHA512

      4ef7bc17ab576dbec22b79a6b42338daa44103f25b900dc972d99199467448aaf4c0c50436122224ec8117be2279fb861cd39689b9770fa9b0115f42ee39e085

      Download Submit

    • \??\c:\windows\SysWOW64\e573b82.dll
      Filesize

      124KB

      MD5

      c612b4a4914978657dd3c9662aa6b297

      SHA1

      35e422f90ca6d6d6e908ba49b4d47f10a7e50eee

      SHA256

      d8fb05b5ffdf9c1439bb6f098b0eadd254e2cafc9abc1b6ba13888dd00dcca13

      SHA512

      80f9320331e5e9b0d732139e8ff293e89035e702d0c582de619fb908e8b012dc25b2a723a5d8e5d7d275f81350d2e023b938074a7ae6adab3e9a7f1b555252f8

      Download Submit

    • memory/3596-9-0x0000000000AE0000-0x0000000000B8B000-memory.dmp

      Filesize

      684KB

      Download

    • memory/3596-0-0x0000000000AE0000-0x0000000000B8B000-memory.dmp

      Filesize

      684KB

      Download